While we have discussed many of the emerging sources of industry guidance from private and public sector organizations, the next couple of chapters will strive to give some practical guidance to both suppliers and consumers. This will include a synthesis of guidance from the sources we've discussed, as well as industry best practices and advice based on the author's professional experience as well.

Not all the recommendations, best practices, and processes may be practical to implement for all suppliers. Just like the diverse ecosystem of software consumers, software suppliers exist on a spectrum as it relates to resources, expertise, and constraints. It will often be a dichotomy between software consumers and suppliers, depending on the industry, business relationship, regulatory requirements, and contractual aspects at play to come to terms with what does or doesn't get implemented, provided, or disclosed and under what circumstances.

Vulnerability Disclosure and Response PSIRT

We've spoken quite a bit about industry frameworks such as NIST's Secure Software Development Framework (SSDF) in other chapters of this book, so it makes sense to cite it as an example here as well.

As discussed, SSDF calls for organizations to implement sound practices to help aid secure software development. It lays out the practices across four groups: Preparing the Organization, Protecting Software, Producing Well-Secured Software, and Responding to ...