Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
This is the first article in a five-part series on the recently published NIST 800-218 ‘The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities’.
Although the software development lifecycle (SDLC) has been around for a while, few SDLC models explicitly address software security in detail. The secure software development framework (SSDF) addresses this gap by describing a set of high-level secure practices.
Version 1.1 of The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities from NIST was just published on February 3rd, 2022. The document was first released In September of 2021, but the SSDF program first started in May 2021 after Executive Order 14028.
The secure practices in the framework are divided into four groups:
Prepare the Organization (PO)
Protect the Software (PS)
Produce Well-Secured Software (PS)
Respond to Vulnerabilities (RV)
Each group outlines practices which in turn provide tasks that may be needed to perform the practice. Each task has examples and references.
The SSDF is designed to be used by any organization in any sector, regardless of size or ability. It achieves this by focusing on the outcomes of the practices rather than on the tools, techniques, and mechanisms to do so. The SSDF defines a high level subset of what organizations may need to do.
At Chainguard, we have helped contribute to the SSDF. We will be sharing a more detailed analysis of the SSDF to help those who are looking to adopt this approach in their organization. We will also show how open source projects such as Sigstore and SLSA can be easily leveraged for your secure software development requirements. Check out our ‘Quick Guide to the SSDF’ infographic below and stay tuned for the blog series!
This is the first article in a five-part series on NIST 800-218 ‘The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities’
The full series:
Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For
How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations
How SLSA maps to the SSDF
How to make NIST’s SSDF work for Open Source Projects
Stay tuned for the next article in the series!
Share this article
Related articles
- Security
Get up to Speed on FedRAMP 20x
FedRAMP 20x is transforming cloud compliance with automation and continuous security. Learn how Chainguard Containers simplify 20x readiness with 0-CVE images.
Aaditya Jain, Senior Product Marketing Manager
- Security
Three Ways to Make Your SDLC Secure-by-Default
Build secure software faster with Chainguard. Learn how secure-by-default SDLC practices eliminate CVEs, automate compliance, and embed trust from code to cloud.
Sam Katzen, Staff Product Marketing Manager
- Security
Simplify Continuous Compliance: How to Stay Audit-Ready and Ship Software Faster
Turn compliance into a growth driver with Chainguard. Eliminate CVEs, stay audit-ready, and meet FedRAMP, SOC 2, and ISO 27001 with secure images.
Matt Stead, Marketing
- Security
Meeting the Zero-CVE Mandate: How Chainguard Helps Businesses Ship Secure Software That Customers Trust
Chainguard's zero-CVE containers come with broad compatibility, custom assembly, verifiable provenance and SBOMs, and more to help you ship secure software.
Sam Katzen, Staff Product Marketing Manager
- Security
Mitigating Malware in the npm Ecosystem with Chainguard Libraries
In a recent analysis, Chainguard Libraries for JavaScript prevented over 99% of malicious npm packages published to the npm registry.
Derek Garcia, Research Assistant, Charlie Robbins, Principal Software Engineer, and Manfred Moser, Senior Principal Developer Relations Engineer
- Security
This Shit is Hard: Applying "Zero Trust" to Open Source Software
Chainguard implements Zero Trust principles into everything we do to protect critical infrastructure in the age of open source. See how we do it.
Natalie Somersall, Principal Field Engineer, Public Sector