Read time: 7 minutes
Software development lifecycle (SDLC) is a systematic process for developing software that ensures the quality and correctness of the code. It aims to produce high-quality software within the stipulated time and budget as per customers’ expectations. Each phase of SDLC has its own process and deliverables, which feed into the next phase. Some popular SDLC models include Waterfall, spiral, iterative, agile, etc.
There are only a few SDLC models which explicitly address software security in detail. However, it is necessary to incorporate secure software development practices into each SDLC model. There are various reasons why organizations should plan to implement secure software development practices, which include:
- To reduce the number of vulnerabilities in released software
- To minimize the potential impact of the exploitation of undetected vulnerabilities
- To address the root causes of vulnerabilities to prevent recurrences
Vulnerabilities not only include bugs caused by coding flaws but also weaknesses caused by improper security configuration settings, incorrect trust assumptions, and out-of-date risk analysis.
What is SSDF?
National Institute of Standards and Technology (NIST) has developed a Secure software development Framework, also called SSDF, to strengthen software’s resistance to vulnerabilities. It doesn’t define any new terminologies but consolidates longstanding best-practice recommendations on secure software development. In SSDF, the emphasis is on identifying the best practices rather than on the tools, techniques, and mechanisms used to implement the same.
As per NIST, the SSDF’s practices fall into four major categories:
- Prepare the Organization (PO)
Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will also find some PO practices to apply to subsets of their software development, like individual development groups or projects.
- Protect the Software (PS)
Organizations should protect all software components from tampering and unauthorized access.
- Produce Well-Secured Software (PW):
Organizations should produce well-secured software with minimal security vulnerabilities in its releases.
- Respond to Vulnerabilities (RV)
Organizations should identify residual vulnerabilities in their software releases and respond appropriately to address those vulnerabilities and prevent similar ones from occurring in the future.
Each practice definition includes the following elements:
The name of the practice and a unique identifier, followed by a brief explanation of what the practice is and why it is beneficial
One or more actions that may be required to carry out a practice
- Notional Implementation Examples
One or more notional examples of types of tools, processes, or other methods that could be used to help implement a task. No examples or combination of examples are required, and the stated examples are not the only feasible options. Some examples may not be applicable to certain organizations and situations.
Pointers to one or more established secure development practice documents and their mappings to a particular task. Not all references will apply to all instances of software development.
NIST recommends weighing risk against cost, feasibility, and applicability when deciding which practices to implement.
The SSDF is not a checklist; rather, it guides you to plan and implement a risk-based approach to secure software development.
Advantages of SSDF:
- It can assist organizations in any sector or community, regardless of their size.
- It can be applied to software developed to support information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or the Internet of Things (IoT)
- It can be integrated into any existing software development workflow and automated toolchain; however, it should not have a negative impact on the organizations that already have strong secure software development practices in place.
- It makes the practices broadly applicable, rather than being specific to particular technologies, platforms, programming languages, SDLC models, development environments, operating environments, tools, etc.
With NIST architecting SSDF, secure software development is quickly becoming a mandated priority on a large scale. If organizations adopt SSDF, it will help them remain protected from SDLC vulnerabilities and defend their software supply chains.
Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities