Skip to main content

BSAFSS

logo

Summary

The BSA Framework for Secure Software (BFAFSS) offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry. The framework also helps software development organizations describe the current state and target state of software security in individual software security products and services. The version used in this section is BSAFSS v1.1, September 2020.

Definitions

DefinitionRequirements
AA_1-1. Principle of least privilege186. Use the principle of least privilege
AA_1-2. Authorization and access controls035. Manage privilege modifications
AA_1-3. Authorization and access controls114. Deny access with inactive credentials
229. Request access credentials
264. Request authentication
AA_2-1. Authorization and access (support controls)035. Manage privilege modifications
CF_1-4. Secure software installation and operation142. Change system default credentials
EE_1-3. Error and exception handling capabilities075. Record exceptional events in logs
077. Avoid disclosing technical information
EN_1-1. Encryption strategy and mechanisms185. Encrypt sensitive information
EN_2-3. Avoid weak encryption145. Protect system cryptographic keys
EN_2-4. Avoid weak encryption148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
EN_2-5. Avoid weak encryption147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
EN_3-1. Software protects and validates encryption keys146. Remove cryptographic keys from RAM
EN_3-2. Software protects and validates encryption keys089. Limit validity of certificates
093. Use consistent certificates
145. Protect system cryptographic keys
361. Replace cryptographic keys
EN_3-3. Software protects and validates encryption keys090. Use valid certificates
093. Use consistent certificates
364. Provide extended validation (EV) certificates
IA_1-1. Software development environment authenticates users and operators122. Validate credential ownership
228. Authenticate using standard protocols
229. Request access credentials
236. Establish authentication time
264. Request authentication
IA_1-2. Software development environment authenticates users and operators114. Deny access with inactive credentials
127. Store hashed passwords
IA_2-1. Policies to control access to data and processes095. Define users with privileges
IA_2-2. Policies to control access to data and processes096. Set user's required privileges
LO_1-2. Logging of all critical security incident and event information075. Record exceptional events in logs
LO_1-3. Logging of all critical security incident and event information079. Record exact occurrence time of events
376. Register severity level
LO_2-2. Implement securely logging mechanisms080. Prevent log modification
LO_2-3. Implement securely logging mechanisms083. Avoid logging sensitive data
LO_2-4. Implement securely logging mechanisms160. Encode system outputs
173. Discard unsafe inputs
SC_3-2. Secure Coding (secure software against unsafe functions)160. Encode system outputs
173. Discard unsafe inputs
SC_3-3. Secure Coding (secure software against unsafe functions)029. Cookies with security attributes
173. Discard unsafe inputs
SC_4-1. Secure Coding (software architecture and design)374. Use of isolation methods in running applications
SI_1-2. Avoid architectural weaknesses of authentication failure156. Source code without sensitive information
266. Disable insecure functionalities
SI_1-3. Avoid architectural weaknesses of authentication failure319. Make authentication options equally secure
SI_1-4. Avoid architectural weaknesses of authentication failure329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
SI_1-5. Avoid architectural weaknesses of authentication failure134. Store passwords with salt
185. Encrypt sensitive information
SI_2-1. Strong identity228. Authenticate using standard protocols
SM_2-1. Measures to ensure visibility, traceability, and security of third-party components262. Verify third-party components
SM_3-1. Supply chain data is protected176. Restrict system objects
329. Keep client-side storage without sensitive data
SM_3-2. Supply chain data is protected181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
SM_4-1. Software measures to prevent counterfeiting and tampering178. Use digital signatures
266. Disable insecure functionalities
SM_4-2. Software measures to prevent counterfeiting and tampering229. Request access credentials
SM_6-1. Deployment procedures ensure that the usages of software are established176. Restrict system objects
TC_1-2. Developed software using security tools062. Define standard configurations
TC_1-6. Developed software using security tools062. Define standard configurations
222. Deny access to the host machine
VM_3-2. Vulnerability management181. Transmit data using secure protocols
338. Implement perfect forward secrecy
VN_1-2. Vulnerability notification and patching262. Verify third-party components
VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages)262. Verify third-party components
VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages)301. Notify configuration changes