NIST SSDF

Summary

The NIST Secure Software Development Framework (SSDF) is a set of fundamental and secure software development practices based on established secure software development practice documents, it describes a set of high-level practices based on established standards, guidance, and secure software development practice documents. The version used for this section is NIST 800-218 v1.1, February 2022.

Definitions

Definition	Requirements
NISTSSDF-PO_1_3. Define security requirements for software development	262. Verify third-party components 330. Verify Subresource Integrity
NISTSSDF-PO_5_1. Implement and maintain secure environments for software development	154. Eliminate backdoors 259. Segment the organization network 328. Request MFA for critical systems 374. Use of isolation methods in running applications 376. Register severity level
NISTSSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering	147. Use pre-existent mechanisms 178. Use digital signatures 266. Disable insecure functionalities 302. Declare dependencies explicitly 051. Store source code in a repository
NISTSSDF-PS_2_1. Provide a mechanism for verifying software release integrity	224. Use secure cryptographic mechanisms 330. Verify Subresource Integrity 046. Manage the integrity of critical files 088. Request client certificates 090. Use valid certificates
NISTSSDF-PS_3_1. Archive and protect each software release	177. Avoid caching and temporary files 323. Exclude unverifiable files 325. Protect WSDL files 339. Avoid storing sensitive files in the web root 040. Compare file format and extension 041. Scan files for malicious code 046. Manage the integrity of critical files
NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks	114. Deny access with inactive credentials 122. Validate credential ownership 156. Source code without sensitive information 180. Use mock data 185. Encrypt sensitive information 228. Authenticate using standard protocols 261. Avoid exposing sensitive information 264. Request authentication 300. Mask sensitive data 319. Make authentication options equally secure 334. Avoid knowledge-based authentication 032. Avoid session ID leakages 037. Parameters without sensitive data
NISTSSDF-PW_1_3. Design software to meet security requirements and mitigate security risks	161. Define secure default options 062. Define standard configurations
NISTSSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality	262. Verify third-party components 302. Declare dependencies explicitly 348. Use consistent encoding 353. Schedule firmware updates 048. Components with minimal dependencies 062. Define standard configurations
NISTSSDF-PW_4_4. Reuse existing, well-secured software when feasible instead of duplicating functionality	262. Verify third-party components
NISTSSDF-PW_5_1. Archive and protect each software release	156. Source code without sensitive information 158. Use a secure programming language 168. Initialize variables explicitly 266. Disable insecure functionalities 302. Declare dependencies explicitly 342. Validate request parameters 379. Keep low McCabe cyclomatic complexity
NISTSSDF-PW_6_1. Configure the compilation, interpreter, and build processes to improve executable security	157. Use the strict mode 158. Use a secure programming language 344. Avoid dynamic code execution 352. Enable trusted execution 050. Control calls to interpreted code
NISTSSDF-PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security	159. Obfuscate code 184. Obfuscate application data 062. Define standard configurations
NISTSSDF-PW_9_1. Configure software to have secure settings by default	142. Change system default credentials 254. Change SSID name 341. Use the principle of deny by default 062. Define standard configurations
NISTSSDF-PW_9_2. Configure software to have secure settings by default	161. Define secure default options
NISTSSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities	266. Disable insecure functionalities 273. Define a fixed security suite 313. Inform inability to identify users 062. Define standard configurations

Last updated

2023/09/18