Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?

This is the first article in a five-part series on the recently published NIST 800-218The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities

Although the software development lifecycle (SDLC) has been around for a while, few SDLC models explicitly address software security in detail. The secure software development framework (SSDF) addresses this gap by describing a set of high-level secure practices.

Version 1.1 of The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities from NIST was just published on February 3rd, 2022. The document was first released In September of 2021, but the SSDF program first started in May 2021 after Executive Order 14028.

The secure practices in the framework are divided into four groups:

  1. Prepare the Organization (PO)
  2. Protect the Software (PS)
  3. Produce Well-Secured Software (PS)
  4. Respond to Vulnerabilities (RV)

Each group outlines practices which in turn provide tasks that may be needed to perform the practice. Each task has examples and references.

The SSDF is designed to be used by any organization in any sector, regardless of size or ability. It achieves this by focusing on the outcomes of the practices rather than on the tools, techniques, and mechanisms to do so. The SSDF defines a high level subset of what organizations may need to do.

At Chainguard, we have helped contribute to the SSDF. We will be sharing a more detailed analysis of the SSDF to help those who are looking to adopt this approach in their organization. We will also show how open source projects such as Sigstore and SLSA can be easily leveraged for your secure software development requirements. Check out our ‘Quick Guide to the SSDF’ infographic below and stay tuned for the blog series!

Download a pdf version here.

Chainguard presents 'The Quick Guide to the Secure Software Development Framework'

This is the first article in a five-part series on NIST 800-218 ‘The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities

The full series :

  1. Goodbye SDLC, Hello SSDF! What is the Secure Software Development Framework?
  2. I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For
  3. How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations
  4. How SLSA maps to the SSDF
  5. How to make NIST’s SSDF work for Open Source Projects

Stay tuned for the next article in the series!


Show Comments