Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
This is the first article in a five-part series on the recently published NIST 800-218 ‘The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities’.
Although the software development lifecycle (SDLC) has been around for a while, few SDLC models explicitly address software security in detail. The secure software development framework (SSDF) addresses this gap by describing a set of high-level secure practices.
Version 1.1 of The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities from NIST was just published on February 3rd, 2022. The document was first released In September of 2021, but the SSDF program first started in May 2021 after Executive Order 14028.
The secure practices in the framework are divided into four groups:
Prepare the Organization (PO)
Protect the Software (PS)
Produce Well-Secured Software (PS)
Respond to Vulnerabilities (RV)
Each group outlines practices which in turn provide tasks that may be needed to perform the practice. Each task has examples and references.
The SSDF is designed to be used by any organization in any sector, regardless of size or ability. It achieves this by focusing on the outcomes of the practices rather than on the tools, techniques, and mechanisms to do so. The SSDF defines a high level subset of what organizations may need to do.
At Chainguard, we have helped contribute to the SSDF. We will be sharing a more detailed analysis of the SSDF to help those who are looking to adopt this approach in their organization. We will also show how open source projects such as Sigstore and SLSA can be easily leveraged for your secure software development requirements. Check out our ‘Quick Guide to the SSDF’ infographic below and stay tuned for the blog series!
This is the first article in a five-part series on NIST 800-218 ‘The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities’
The full series:
Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For
How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations
How SLSA maps to the SSDF
How to make NIST’s SSDF work for Open Source Projects
Stay tuned for the next article in the series!
Share this article
Articles connexes
- security
Adapting Essential Eight for modern cloud environments using Chainguard
Cameron Martin, Manager, Sales Engineering, and Scott Norris, Enterprise Sales Engineer
- security
Chainguard FIPS enters 2026 with OpenSSL 3.1.2 and better CMVP visibility
Dimitri John Ledkov, Senior Principal Software Engineer, Chris Herborth, Staff Software Engineer, and John Slack, Senior Product Manager
- security
Why startups need to be secure-by-default
Dan Lorenc, CEO and Co-Founder
- security
Get up to Speed on FedRAMP 20x
Aaditya Jain, Senior Product Marketing Manager
- security
Three Ways to Make Your SDLC Secure-by-Default
Sam Katzen, Staff Product Marketing Manager
- security
Simplify Continuous Compliance: How to Stay Audit-Ready and Ship Software Faster
Matt Stead, Marketing