A secure environment ensures that the infrastructure used for development, testing, and production is protected from unauthorized access, malicious code, and other security threats. This reduces the risk of vulnerabilities being introduced into the software and limits potential damage from security breaches.
Development, testing and production environments are segregated.
[SSDF] Ensure strict segregation of development environmentsDevelopment and modification of software only takes place in development environments
[SSDF] Harden development environments for securityData from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment.
[CISA] Secure data security across environmentsUnauthorised access to the authoritative source for software is prevented.
[SSDF] Establish comprehensive access control criteriaUnauthorised modification of the authoritative source for software is prevented.
[SSDF] Ensure integrity of software releasesSecure development practices ensure that software is designed, developed, and tested with security in mind, minimizing vulnerabilities and coding errors. This approach proactively reduces the likelihood of future security issues and strengthens the overall integrity of the software.
Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
[SSDF] Define and maintain security requirements for development infrastructures and processesSecDevOps practices are used for application development.
[SSDF] Compliance as code: Specify tools/tool types to mitigate risksThreat modelling is used in support of application development.
[SSDF] Apply threat modelling techniquesThe Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.
[OWASP] Encrypt sensitive data-at-rest effectivelyThe OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.
[OWASP] Strictly enforce LLM access control policiesLarge language model applications evaluate the sentence perplexity of user prompts to detect and mitigate adversarial suffixes designed to assist in the generation of sensitive or harmful content.
[NIST AI RMF] Detect and block harmful LLM contentFiles containing executable content are digitally signed as part of application development.
[SSDF] Secure tools and reliably sign executablesInstallers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development.
[SSDF] Secure tools and reliably sign updatesSecure configuration guidance is produced as part of application development.
[SSDF] Establish a secure configuration baselineApplications are comprehensively tested for vulnerabilities, using static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.
[SSDF] Monitor and respond to vulnerabilities proactivelySoftware traceability ensures that all components of the software, including their origins and any changes, are documented and tracked. This enables transparency, making it easier to identify vulnerabilities, respond to incidents, and ensure compliance with security and regulatory standards.
A software bill of materials is produced and made available to consumers of software.
[SSDF] Archive software data for traceabilityAn effective vulnerability management process helps identify, report, and resolve vulnerabilities in a timely manner. By implementing a vulnerability disclosure program and setting clear reporting mechanisms, organizations can quickly address security risks and prevent potential exploitation.
A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.
[SSDF] Implement an accessible disclosure programA vulnerability disclosure policy is developed, implemented and maintained.
[SSDF] Develop and update disclosure policiesVulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained.
[SSDF] Define vulnerability management processesA ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation’s products and services.
[SSDF] Develop a security response playbook and host a security.txtVulnerabilities identified in applications are publicly disclosed (where appropriate to do so) by software developers in a timely manner.
[CISA] Manage responsible reporting processes effectivelyVulnerabilities identified in applications are resolved by software developers in a timely manner.
[SSDF] Analyze vulnerability risks for prioritizationIn resolving vulnerabilities, software developers perform root cause analysis and, to the greatest extent possible, seek to remediate entire vulnerability classes.
[SSDF] Perform root cause analysis for security