Fluid Attacks Database

NIST SSDF

Last updated: 2023/09/18

The NIST Secure Software Development Framework (SSDF) is a set of fundamental and secure software development practices based on established secure software development practice documents, it describes a set of high-level practices based on established standards, guidance, and secure software development practice documents. The version used for this section is NIST 800-218 v1.1, February 2022.

Control-Requirement Mapping

Definition	Requirements
PO_1_3. Define security requirements for software development	262. Verify third-party components 330. Verify Subresource Integrity
PO_5_1. Implement and maintain secure environments for software development	154. Eliminate backdoors 259. Segment the organization network 328. Request MFA for critical systems 374. Use of isolation methods in running applications 376. Register severity level
PS_1_1. Protect all forms of code from unauthorized access and tampering	147. Use pre-existent mechanisms 178. Use digital signatures 266. Disable insecure functionalities 302. Declare dependencies explicitly 051. Store source code in a repository
PS_2_1. Provide a mechanism for verifying software release integrity	224. Use secure cryptographic mechanisms 330. Verify Subresource Integrity 046. Manage the integrity of critical files 088. Request client certificates 090. Use valid certificates
PS_3_1. Archive and protect each software release	177. Avoid caching and temporary files 323. Exclude unverifiable files 325. Protect WSDL files 339. Avoid storing sensitive files in the web root 040. Compare file format and extension 041. Scan files for malicious code 046. Manage the integrity of critical files
PW_1_1. Design software to meet security requirements and mitigate security risks	114. Deny access with inactive credentials 122. Validate credential ownership 156. Source code without sensitive information 180. Use mock data 185. Encrypt sensitive information 228. Authenticate using standard protocols 261. Avoid exposing sensitive information 264. Request authentication 300. Mask sensitive data 319. Make authentication options equally secure 334. Avoid knowledge-based authentication 032. Avoid session ID leakages 037. Parameters without sensitive data
PW_1_3. Design software to meet security requirements and mitigate security risks	161. Define secure default options 062. Define standard configurations
PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality	262. Verify third-party components 302. Declare dependencies explicitly 348. Use consistent encoding 353. Schedule firmware updates 048. Components with minimal dependencies 062. Define standard configurations
PW_4_4. Reuse existing, well-secured software when feasible instead of duplicating functionality	262. Verify third-party components
PW_5_1. Archive and protect each software release	156. Source code without sensitive information 158. Use a secure programming language 168. Initialize variables explicitly 266. Disable insecure functionalities 302. Declare dependencies explicitly 342. Validate request parameters 379. Keep low McCabe cyclomatic complexity
PW_6_1. Configure the compilation, interpreter, and build processes to improve executable security	157. Use the strict mode 158. Use a secure programming language 344. Avoid dynamic code execution 352. Enable trusted execution 050. Control calls to interpreted code
PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security	159. Obfuscate code 184. Obfuscate application data 062. Define standard configurations
PW_9_1. Configure software to have secure settings by default	142. Change system default credentials 254. Change SSID name 341. Use the principle of deny by default 062. Define standard configurations
PW_9_2. Configure software to have secure settings by default	161. Define secure default options
RV_2_2. Assess, prioritize, and remediate vulnerabilities	266. Disable insecure functionalities 273. Define a fixed security suite 313. Inform inability to identify users 062. Define standard configurations

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.