BSAFSS

Summary

The BSA Framework for Secure Software (BFAFSS) offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry. The framework also helps software development organizations describe the current state and target state of software security in individual software security products and services. The version used in this section is BSAFSS v1.1, September 2020.

Definitions

Definition	Requirements
BSAFSS-SC_3-2. Secure Coding (secure software against unsafe functions)	160. Encode system outputs 173. Discard unsafe inputs
BSAFSS-SC_3-3. Secure Coding (secure software against unsafe functions)	173. Discard unsafe inputs 029. Cookies with security attributes
BSAFSS-SC_4-1. Secure Coding (software architecture and design)	374. Use of isolation methods in running applications
BSAFSS-SM_2-1. Measures to ensure visibility, traceability, and security of third-party components	262. Verify third-party components
BSAFSS-SM_3-1. Supply chain data is protected	176. Restrict system objects 329. Keep client-side storage without sensitive data
BSAFSS-SM_3-2. Supply chain data is protected	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
BSAFSS-SM_4-1. Software measures to prevent counterfeiting and tampering	178. Use digital signatures 266. Disable insecure functionalities
BSAFSS-SM_4-2. Software measures to prevent counterfeiting and tampering	229. Request access credentials
BSAFSS-SM_6-1. Deployment procedures ensure that the usages of software are established	176. Restrict system objects
BSAFSS-TC_1-2. Developed software using security tools	062. Define standard configurations
BSAFSS-TC_1-6. Developed software using security tools	222. Deny access to the host essential 062. Define standard configurations
BSAFSS-IA_1-1. Software development environment authenticates users and operators	122. Validate credential ownership 228. Authenticate using standard protocols 229. Request access credentials 236. Establish authentication time 264. Request authentication
BSAFSS-IA_1-2. Software development environment authenticates users and operators	114. Deny access with inactive credentials 127. Store hashed passwords
BSAFSS-IA_2-1. Policies to control access to data and processes	095. Define users with privileges
BSAFSS-IA_2-2. Policies to control access to data and processes	096. Set user's required privileges
BSAFSS-SI_1-2. Avoid architectural weaknesses of authentication failure	156. Source code without sensitive information 266. Disable insecure functionalities
BSAFSS-SI_1-3. Avoid architectural weaknesses of authentication failure	319. Make authentication options equally secure
BSAFSS-SI_1-4. Avoid architectural weaknesses of authentication failure	329. Keep client-side storage without sensitive data 375. Remove sensitive data from client-side applications
BSAFSS-SI_1-5. Avoid architectural weaknesses of authentication failure	134. Store passwords with salt 185. Encrypt sensitive information
BSAFSS-SI_2-1. Strong identity	228. Authenticate using standard protocols
BSAFSS-EN_1-1. Encryption strategy and mechanisms	185. Encrypt sensitive information
BSAFSS-EN_2-3. Avoid weak encryption	145. Protect system cryptographic keys
BSAFSS-EN_2-4. Avoid weak encryption	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption
BSAFSS-EN_2-5. Avoid weak encryption	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
BSAFSS-EN_3-1. Software protects and validates encryption keys	146. Remove cryptographic keys from RAM
BSAFSS-EN_3-2. Software protects and validates encryption keys	145. Protect system cryptographic keys 361. Replace cryptographic keys 089. Limit validity of certificates 093. Use consistent certificates
BSAFSS-EN_3-3. Software protects and validates encryption keys	364. Provide extended validation (EV) certificates 090. Use valid certificates 093. Use consistent certificates
BSAFSS-AA_1-1. Principle of least privilege	186. Use the principle of least privilege
BSAFSS-AA_1-2. Authorization and access controls	035. Manage privilege modifications
BSAFSS-AA_1-3. Authorization and access controls	114. Deny access with inactive credentials 229. Request access credentials 264. Request authentication
BSAFSS-AA_2-1. Authorization and access (support controls)	035. Manage privilege modifications
BSAFSS-LO_1-2. Logging of all critical security incident and event information	075. Record exceptional events in logs
BSAFSS-LO_1-3. Logging of all critical security incident and event information	376. Register severity level 079. Record exact occurrence time of events
BSAFSS-LO_2-2. Implement securely logging mechanisms	080. Prevent log modification
BSAFSS-LO_2-3. Implement securely logging mechanisms	083. Avoid logging sensitive data
BSAFSS-LO_2-4. Implement securely logging mechanisms	160. Encode system outputs 173. Discard unsafe inputs
BSAFSS-EE_1-3. Error and exception handling capabilities	075. Record exceptional events in logs 077. Avoid disclosing technical information
BSAFSS-VM_3-2. Vulnerability management	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
BSAFSS-CF_1-4. Secure software installation and operation	142. Change system default credentials
BSAFSS-VN_1-2. Vulnerability notification and patching	262. Verify third-party components
BSAFSS-VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages)	262. Verify third-party components
BSAFSS-VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages)	301. Notify configuration changes

Last updated

2023/09/18