NIST CYBERSECURITY WHITE PAPER CSRC.NIST.GOV Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) Donna Dodson Applied Cybersecurity Division Information Technology Laboratory m o Murugiah Souppaya Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA April 23, 2020 h t i g b u This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04232020 c . 5 NIST CYBERSECURITY WHITE PAPER APRIL 23, 2020 MITIGATING THE RISK OF SOFTWARE VULNERABILITIES BY ADOPTING AN SSDF Abstract Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure the software being developed is well secured. This white paper recommends a core set of highlevel secure software development practices called a secure software development framework (SSDF) to be integrated within each SDLC implementation. The paper facilitates communications about secure software development practices among business owners, software developers, project managers and leads, and cybersecurity professionals within an organization. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Also, because the framework provides a common vocabulary for secure software development, software consumers can use it to foster communications with suppliers in acquisition processes and other management activities. Keywords m o c . 5 secure software development; secure software development framework (SSDF); secure software development practices; software acquisition; software development; software development life cycle (SDLC); software security. b u Disclaimer h t i g Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST, nor does it imply that the products mentioned are necessarily the best available for the purpose. Additional Information For additional information on NIST’s Cybersecurity programs, projects and publications, visit the Computer Security Resource Center. Information on other efforts at NIST and in the Information Technology Laboratory (ITL) is also available. Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: ssdf@nist.gov All comments are subject to release under the Freedom of Information Act (FOIA). ii NIST CYBERSECURITY WHITE PAPER APRIL 23, 2020 MITIGATING THE RISK OF SOFTWARE VULNERABILITIES BY ADOPTING AN SSDF Acknowledgments The authors wish to thank all of the individuals and organizations who provided comments on the preliminary ideas and drafts, particularly BSA | The Software Alliance, the Information Security and Privacy Advisory Board (ISPAB), and the members of the Software Assurance Forum for Excellence in Code (SAFECode). The authors also greatly appreciate the thoughtful public comments submitted by many organizations and individuals, including the Administrative Offices of the U.S. Courts, The Aerospace Corporation, BSA | The Software Alliance, Capitis Solutions, the Consortium for Information & Software Quality (CISQ), HackerOne, Honeycomb Secure Systems, iNovex, Ishpi Information Technologies, Juniper Networks, Medical Imaging & Technology Alliance (MITA), Microsoft, Naval Sea Systems Command (NAVSEA), the National Institute of Standards and Technology (NIST), Northrop Grumman, Office of the Undersecretary of Defense for Research and Engineering, RedHat, SAFECode, and the Software Engineering Institute (SEI). m o Audience c . 5 There are two primary audiences for this white paper. The first is software producers (e.g., commercial-off-the-shelf [COTS] product vendors, government-off-the-shelf [GOTS] software developers, custom software developers) regardless of size, sector, or level of maturity. The second is software consumers, both federal government agencies and other organizations. Readers of this document are not expected to be experts in secur