Skip to main content

NIST SSDF

logo

Summary

The NIST Secure Software Development Framework (SSDF) is a set of fundamental and secure software development practices based on established secure software development practice documents, it describes a set of high-level practices based on established standards, guidance, and secure software development practice documents. The version used for this section is NIST 800-218 v1.1, February 2022.

Definitions

DefinitionRequirements
PO_1_3. Define security requirements for software development
262. Verify third-party components
330. Verify Subresource Integrity
PO_5_1. Implement and maintain secure environments for software development
154. Eliminate backdoors
259. Segment the organization network
328. Request MFA for critical systems
374. Use of isolation methods in running applications
376. Register severity level
PS_1_1. Protect all forms of code from unauthorized access and tampering
051. Store source code in a repository
147. Use pre-existent mechanisms
178. Use digital signatures
266. Disable insecure functionalities
302. Declare dependencies explicitly
PS_2_1. Provide a mechanism for verifying software release integrity
046. Manage the integrity of critical files
088. Request client certificates
090. Use valid certificates
224. Use secure cryptographic mechanisms
330. Verify Subresource Integrity
PS_3_1. Archive and protect each software release
040. Compare file format and extension
041. Scan files for malicious code
046. Manage the integrity of critical files
177. Avoid caching and temporary files
323. Exclude unverifiable files
325. Protect WSDL files
339. Avoid storing sensitive files in the web root
PW_1_1. Design software to meet security requirements and mitigate security risks
032. Avoid session ID leakages
037. Parameters without sensitive data
114. Deny access with inactive credentials
122. Validate credential ownership
156. Source code without sensitive information
180. Use mock data
185. Encrypt sensitive information
228. Authenticate using standard protocols
261. Avoid exposing sensitive information
264. Request authentication
300. Mask sensitive data
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
PW_1_3. Design software to meet security requirements and mitigate security risks
062. Define standard configurations
161. Define secure default options
PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
048. Components with minimal dependencies
062. Define standard configurations
262. Verify third-party components
302. Declare dependencies explicitly
348. Use consistent encoding
353. Schedule firmware updates
PW_4_4. Reuse existing, well-secured software when feasible instead of duplicating functionality
262. Verify third-party components
PW_5_1. Archive and protect each software release
156. Source code without sensitive information
158. Use a secure programming language
168. Initialize variables explicitly
266. Disable insecure functionalities
302. Declare dependencies explicitly
342. Validate request parameters
379. Keep low McCabe cyclomatic complexity
PW_6_1. Configure the compilation, interpreter, and build processes to improve executable security
050. Control calls to interpreted code
157. Use the strict mode
158. Use a secure programming language
344. Avoid dynamic code execution
352. Enable trusted execution
PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security
062. Define standard configurations
159. Obfuscate code
184. Obfuscate application data
PW_9_1. Configure software to have secure settings by default
062. Define standard configurations
142. Change system default credentials
254. Change SSID name
341. Use the principle of deny by default
PW_9_2. Configure software to have secure settings by default
161. Define secure default options
RV_2_2. Assess, prioritize, and remediate vulnerabilities
062. Define standard configurations
266. Disable insecure functionalities
273. Define a fixed security suite
313. Inform inability to identify users
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.