Skip to main content

BSAFSS

logo

Summary

The BSA Framework for Secure Software (BFAFSS) offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry. The framework also helps software development organizations describe the current state and target state of software security in individual software security products and services. The version used in this section is BSAFSS v1.1, September 2020.

Definitions

DefinitionRequirements
SC_3-2. Secure Coding (secure software against unsafe functions)
160. Encode system outputs
173. Discard unsafe inputs
SC_3-3. Secure Coding (secure software against unsafe functions)
029. Cookies with security attributes
173. Discard unsafe inputs
SC_4-1. Secure Coding (software architecture and design)
374. Use of isolation methods in running applications
SM_2-1. Measures to ensure visibility, traceability, and security of third-party components
262. Verify third-party components
SM_3-1. Supply chain data is protected
176. Restrict system objects
329. Keep client-side storage without sensitive data
SM_3-2. Supply chain data is protected
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
SM_4-1. Software measures to prevent counterfeiting and tampering
178. Use digital signatures
266. Disable insecure functionalities
SM_4-2. Software measures to prevent counterfeiting and tampering
229. Request access credentials
SM_6-1. Deployment procedures ensure that the usages of software are established
176. Restrict system objects
TC_1-2. Developed software using security tools
062. Define standard configurations
TC_1-6. Developed software using security tools
062. Define standard configurations
222. Deny access to the host machine
IA_1-1. Software development environment authenticates users and operators
122. Validate credential ownership
228. Authenticate using standard protocols
229. Request access credentials
236. Establish authentication time
264. Request authentication
IA_1-2. Software development environment authenticates users and operators
114. Deny access with inactive credentials
127. Store hashed passwords
IA_2-1. Policies to control access to data and processes
095. Define users with privileges
IA_2-2. Policies to control access to data and processes
096. Set user's required privileges
SI_1-2. Avoid architectural weaknesses of authentication failure
156. Source code without sensitive information
266. Disable insecure functionalities
SI_1-3. Avoid architectural weaknesses of authentication failure
319. Make authentication options equally secure
SI_1-4. Avoid architectural weaknesses of authentication failure
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
SI_1-5. Avoid architectural weaknesses of authentication failure
134. Store passwords with salt
185. Encrypt sensitive information
SI_2-1. Strong identity
228. Authenticate using standard protocols
EN_1-1. Encryption strategy and mechanisms
185. Encrypt sensitive information
EN_2-3. Avoid weak encryption
145. Protect system cryptographic keys
EN_2-4. Avoid weak encryption
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
EN_2-5. Avoid weak encryption
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
EN_3-1. Software protects and validates encryption keys
146. Remove cryptographic keys from RAM
EN_3-2. Software protects and validates encryption keys
089. Limit validity of certificates
093. Use consistent certificates
145. Protect system cryptographic keys
361. Replace cryptographic keys
EN_3-3. Software protects and validates encryption keys
090. Use valid certificates
093. Use consistent certificates
364. Provide extended validation (EV) certificates
AA_1-1. Principle of least privilege
186. Use the principle of least privilege
AA_1-2. Authorization and access controls
035. Manage privilege modifications
AA_1-3. Authorization and access controls
114. Deny access with inactive credentials
229. Request access credentials
264. Request authentication
AA_2-1. Authorization and access (support controls)
035. Manage privilege modifications
LO_1-2. Logging of all critical security incident and event information
075. Record exceptional events in logs
LO_1-3. Logging of all critical security incident and event information
079. Record exact occurrence time of events
376. Register severity level
LO_2-2. Implement securely logging mechanisms
080. Prevent log modification
LO_2-3. Implement securely logging mechanisms
083. Avoid logging sensitive data
LO_2-4. Implement securely logging mechanisms
160. Encode system outputs
173. Discard unsafe inputs
EE_1-3. Error and exception handling capabilities
075. Record exceptional events in logs
077. Avoid disclosing technical information
VM_3-2. Vulnerability management
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
CF_1-4. Secure software installation and operation
142. Change system default credentials
VN_1-2. Vulnerability notification and patching
262. Verify third-party components
VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages)
262. Verify third-party components
VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages)
301. Notify configuration changes
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.