Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
This is the first article in a five-part series on the recently published NIST 800-218 ‘The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities’.
Although the software development lifecycle (SDLC) has been around for a while, few SDLC models explicitly address software security in detail. The secure software development framework (SSDF) addresses this gap by describing a set of high-level secure practices.
Version 1.1 of The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities from NIST was just published on February 3rd, 2022. The document was first released In September of 2021, but the SSDF program first started in May 2021 after Executive Order 14028.
The secure practices in the framework are divided into four groups:
Prepare the Organization (PO)
Protect the Software (PS)
Produce Well-Secured Software (PS)
Respond to Vulnerabilities (RV)
Each group outlines practices which in turn provide tasks that may be needed to perform the practice. Each task has examples and references.
The SSDF is designed to be used by any organization in any sector, regardless of size or ability. It achieves this by focusing on the outcomes of the practices rather than on the tools, techniques, and mechanisms to do so. The SSDF defines a high level subset of what organizations may need to do.
At Chainguard, we have helped contribute to the SSDF. We will be sharing a more detailed analysis of the SSDF to help those who are looking to adopt this approach in their organization. We will also show how open source projects such as Sigstore and SLSA can be easily leveraged for your secure software development requirements. Check out our ‘Quick Guide to the SSDF’ infographic below and stay tuned for the blog series!
This is the first article in a five-part series on NIST 800-218 ‘The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities’
The full series:
Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For
How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations
How SLSA maps to the SSDF
How to make NIST’s SSDF work for Open Source Projects
Stay tuned for the next article in the series!
Share this article
Related articles
- security
Going deep: Upstream distros and hidden CVEs
Chainguard Research
- security
Chainguard + Second Front: A faster, more secure path into government markets
Ben Prouty, Principal Partner Sales Manager, Chainguard, and Veronica Lusetti, Senior Manager of Partnerships, Second Front
- security
This Shit is Hard: The life and death of a CVE in the Chainguard Factory
Patrick Smyth, Principal Developer Relations Enginee
- security
npm’s update to harden their supply chain, and points to consider
Adam La Morre, Senior Solutions Engineer
- security
Protect your AI workloads from supply chain attacks
Anushka Iyer, Product Marketing Manager
- security
Applying SOC 2 with Chainguard: A practical guide for DevOps and engineering leaders
Sam Katzen, Staff Product Marketing Manager