BSAFSS

Summary

The BSA Framework for Secure Software (BFAFSS) offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry. The framework also helps software development organizations describe the current state and target state of software security in individual software security products and services. The version used in this section is BSAFSS v1.1, September 2020.

Definitions

Definition	Requirements
SC_3-2. Secure Coding (secure software against unsafe functions)	160. Encode system outputs 173. Discard unsafe inputs
SC_3-3. Secure Coding (secure software against unsafe functions)	029. Cookies with security attributes 173. Discard unsafe inputs
SC_4-1. Secure Coding (software architecture and design)	374. Use of isolation methods in running applications
SM_2-1. Measures to ensure visibility, traceability, and security of third-party components	262. Verify third-party components
SM_3-1. Supply chain data is protected	176. Restrict system objects 329. Keep client-side storage without sensitive data
SM_3-2. Supply chain data is protected	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
SM_4-1. Software measures to prevent counterfeiting and tampering	178. Use digital signatures 266. Disable insecure functionalities
SM_4-2. Software measures to prevent counterfeiting and tampering	229. Request access credentials
SM_6-1. Deployment procedures ensure that the usages of software are established	176. Restrict system objects
TC_1-2. Developed software using security tools	062. Define standard configurations
TC_1-6. Developed software using security tools	062. Define standard configurations 222. Deny access to the host machine
IA_1-1. Software development environment authenticates users and operators	122. Validate credential ownership 228. Authenticate using standard protocols 229. Request access credentials 236. Establish authentication time 264. Request authentication
IA_1-2. Software development environment authenticates users and operators	114. Deny access with inactive credentials 127. Store hashed passwords
IA_2-1. Policies to control access to data and processes	095. Define users with privileges
IA_2-2. Policies to control access to data and processes	096. Set user's required privileges
SI_1-2. Avoid architectural weaknesses of authentication failure	156. Source code without sensitive information 266. Disable insecure functionalities
SI_1-3. Avoid architectural weaknesses of authentication failure	319. Make authentication options equally secure
SI_1-4. Avoid architectural weaknesses of authentication failure	329. Keep client-side storage without sensitive data 375. Remove sensitive data from client-side applications
SI_1-5. Avoid architectural weaknesses of authentication failure	134. Store passwords with salt 185. Encrypt sensitive information
SI_2-1. Strong identity	228. Authenticate using standard protocols
EN_1-1. Encryption strategy and mechanisms	185. Encrypt sensitive information
EN_2-3. Avoid weak encryption	145. Protect system cryptographic keys
EN_2-4. Avoid weak encryption	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption
EN_2-5. Avoid weak encryption	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
EN_3-1. Software protects and validates encryption keys	146. Remove cryptographic keys from RAM
EN_3-2. Software protects and validates encryption keys	089. Limit validity of certificates 093. Use consistent certificates 145. Protect system cryptographic keys 361. Replace cryptographic keys
EN_3-3. Software protects and validates encryption keys	090. Use valid certificates 093. Use consistent certificates 364. Provide extended validation (EV) certificates
AA_1-1. Principle of least privilege	186. Use the principle of least privilege
AA_1-2. Authorization and access controls	035. Manage privilege modifications
AA_1-3. Authorization and access controls	114. Deny access with inactive credentials 229. Request access credentials 264. Request authentication
AA_2-1. Authorization and access (support controls)	035. Manage privilege modifications
LO_1-2. Logging of all critical security incident and event information	075. Record exceptional events in logs
LO_1-3. Logging of all critical security incident and event information	079. Record exact occurrence time of events 376. Register severity level
LO_2-2. Implement securely logging mechanisms	080. Prevent log modification
LO_2-3. Implement securely logging mechanisms	083. Avoid logging sensitive data
LO_2-4. Implement securely logging mechanisms	160. Encode system outputs 173. Discard unsafe inputs
EE_1-3. Error and exception handling capabilities	075. Record exceptional events in logs 077. Avoid disclosing technical information
VM_3-2. Vulnerability management	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
CF_1-4. Secure software installation and operation	142. Change system default credentials
VN_1-2. Vulnerability notification and patching	262. Verify third-party components
VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages)	262. Verify third-party components
VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages)	301. Notify configuration changes

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.