SECURE SOFTWARE

GOAL1.Secure software environment

A secure environment ensures that the infrastructure used for development, testing, and production is protected from unauthorized access, malicious code, and other security threats. This reduces the risk of vulnerabilities being introduced into the software and limits potential damage from security breaches.

[ISM] Environment segregation ▼

Development, testing and production environments are segregated.

[SSDF] Ensure strict segregation of development environments

[ISM] Development environments ▼

Development and modification of software only takes place in development environments

[SSDF] Harden development environments for security

[ISM] Data security ▼

Data from production environments is not used in a development or testing environment unless the environment is secured to the same level as the production environment.

[CISA] Secure data security across environments

[ISM] Access control ▼

Unauthorised access to the authoritative source for software is prevented.

[SSDF] Establish comprehensive access control criteria
[SSDF] Secure data protection processes and mechanisms
[SSDF] Secure and restrict code access

[ISM] Secure modification ▼

Unauthorised modification of the authoritative source for software is prevented.

[SSDF] Ensure integrity of software releases

[ISM] HTTPS enforcement ▼

All web application content is offered exclusively using HTTPS.

[OWASP] Validate HTTP request headers

[ISM] Security headers ▼

Web applications implement Content-Security-Policy, HSTS and X-Frame-Options via security policy in response headers.

[SSDF] Secure code access

[ISM] Web application firewalls ▼

If using a web application firewall (WAF), disclosing the IP addresses of web servers under an organisation’s control (referred to as origin servers) is avoided and access to the origin servers is restricted to the WAF and authorised management networks.

[OWASP] Ensure server communication security

GOAL2.Secure software development

Secure development practices ensure that software is designed, developed, and tested with security in mind, minimizing vulnerabilities and coding errors. This approach proactively reduces the likelihood of future security issues and strengthens the overall integrity of the software.

[ISM] Secure-by-design ▼

Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.

[SSDF] Define and maintain security requirements for development infrastructures and processes
[SSDF] Establish secure internal development policies
[SSDF] Set security standards for third parties
[SSDF] Define and review team accountability
[SSDF] Provide training for secure development roles
[SSDF] Secure management commitment to development security
[SSDF] Maintain security lifecycle documentation records
[SSDF] Manage secure third-party software components
[SSDF] Develop secure in-house software components
[SSDF] Verify compliance of third-party components
[SSDF] Adhere to comprehensive secure coding practices

[ISM] SecDevOps practices ▼

SecDevOps practices are used for application development.

[SSDF] Compliance as code: Specify tools/tool types to mitigate risks
[SSDF] Compliance as code: Secure development environments
[SSDF] Shift-left security: Determine appropriate code review methods
[SSDF] Shift-left security: Perform early code review and analysis
[SSDF] Shared responsibility: Define roles and responsibilities
[SSDF] Automation: Automate toolchain to secure information
[SSDF] Automation: Implement secure toolchain management
[SSDF] Automation: Configure tools to generate secure artifacts
[SSDF] Collaboration: Establish vulnerability disclosure and collaboration
[SSDF] Collaboration: Perform secure code reviews collaboratively

[ISM] Threat modelling ▼

Threat modelling is used in support of application development.

[SSDF] Apply threat modelling techniques
[SSDF] Conduct thorough secure design reviews

[ISM] Mobile Application Security (OWASP) ▼

The Open Worldwide Application Security Project (OWASP) Mobile Application Security Verification Standard is used in the development of mobile applications.

[OWASP] Encrypt sensitive data-at-rest effectively
[OWASP] Use secure cryptography for data protection
[OWASP] Implement robust authentication mechanisms securely
[OWASP] Encrypt and secure data-in-transit
[OWASP] Follow best practices for platform interactions
[OWASP] Process data securely with updated practices
[OWASP] Implement strong anti-tampering mechanisms
[OWASP] Include user privacy and control measures

[ISM] LLM risk mitigation (OWASP top 10) ▼

The OWASP Top 10 for Large Language Model Applications are mitigated in the development of large language model applications.

[OWASP] Protect and prevent prompt injection
[OWASP] Ensure sensitive information disclosure
[OWASP] Consider entire LLM supply chain vulnerabilities
[OWASP] Prevent data and model poisoning
[OWASP] Prevent improper output handling
[OWASP] Limit and control LLM agency
[OWASP] Prevent system prompt leakage
[OWASP] Strengthen security of vectors and embeddings
[OWASP] Mitigate misinformation
[OWASP] Prevent unbounded consumption

[ISM] Evaluation of LLM applications ▼

Large language model applications evaluate the sentence perplexity of user prompts to detect and mitigate adversarial suffixes designed to assist in the generation of sensitive or harmful content.

[NIST AI RMF] Detect and block harmful LLM content
[NIST AI RMF] Mitigate misinformation and disinformation risks
[NIST AI RMF] Enhance LLM information security measures
[NIST AI RMF] Block abusive or harmful content generation

[ISM] Contents protection ▼

Files containing executable content are digitally signed as part of application development.

[SSDF] Secure tools and reliably sign executables

[ISM] Update protection ▼

Installers, patches and updates are digitally signed or provided with cryptographic checksums as part of application development.

[SSDF] Secure tools and reliably sign updates

[ISM] Secure configuration ▼

Secure configuration guidance is produced as part of application development.

[SSDF] Establish a secure configuration baseline
[SSDF] Apply and enforce secure default settings

[ISM] Security testing ▼

Applications are comprehensively tested for vulnerabilities, using static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.

[SSDF] Monitor and respond to vulnerabilities proactively
[SSDF] Conduct automated vulnerability analysis regularly
[SSDF] Assess executable testing requirements thoroughly
[SSDF] Conduct comprehensive security test procedures

[ISM] Security verification ▼

The OWASP Application Security Verification Standard is used in the development of web applications.

[OWASP] Ensure secure design principle
[OWASP] Enforce strong user authentication
[OWASP] Ensure secure session management
[OWASP] Enforce strict acces control
[OWASP] Prevent injection and output vulnerabilities
[OWASP] Secure cryptographic data storage
[OWASP] Error handling and security logging
[OWASP] Comprehensive data security measures
[OWASP] Enforce secure communication
[OWASP] Prevent malicious code execution
[OWASP] Secure business logic workflows
[OWASP] Handle files and resources securely
[OWASP] Ensure secure API management
[OWASP] Maintain secure configurations

[ISM] Proactive Controls (OWASP Top) ▼

The OWASP Top 10 Proactive Controls are used in the development of web applications.

[OWASP] Enforce strict access controls
[OWASP] Protect sensitive data with encryption
[OWASP] Validate and sanitize user input
[OWASP] Embed security in application design
[OWASP] Ensure secure default configurations
[OWASP] Maintain secure dependencies
[OWASP] Implement strong identity management
[OWASP] Apply browser security controls
[OWASP] Monitor and log security events
[OWASP] Mitigate Server Side Request Forgery vulnerabilities

[ISM] Web application risk mitigation (OWASP Top 10) ▼

The OWASP Top 10 are mitigated in the development of web applications.

[OWASP] Strictly enforce LLM access control policies
[OWASP] Secure LLM data with cryptography
[OWASP] Validate and sanitize LLM inputs effectively
[OWASP] Integrate secure design in LLM applications
[OWASP] Review and secure LLM configurations
[OWASP] Maintain up-to-date LLM inventories
[OWASP] Implement strong authentication for LLM access
[OWASP] Ensure integrity of LLM code and models
[OWASP] Implement comprehensive logging for LLM security
[OWASP] Mitigate server-side request forgery risks

[ISM] Robust web application frameworks ▼

Robust web application frameworks are used in the development of web applications.

[SSDF] Manage framework security

[ISM] Web API security (OWASP API Security Top 10) ▼

The OWASP API Security Top 10 are mitigated in the development of web APIs.

[OWASP] Enforce strict object-level authorization
[OWASP] Implement secure API authentication
[OWASP] Validate object property access
[OWASP] Limit API resource consumption
[OWASP] Restrict function-level authorization
[OWASP] Prevent automated API abuse
[OWASP] Validate and restrict outbound requests
[OWASP] Secure API configurations
[OWASP] Manage API versions securely
[OWASP] Handle third-party API data securely

[ISM] Client authentication and authorization ▼

Authentication and authorisation of clients is performed when clients call web APIs that facilitate modification of data.

[OWASP] Enhance authentication security

[ISM] Client authentication and authorization ▼

Authentication and authorisation of clients is performed when clients call web APIs that facilitate access to data not authorised for release into the public domain.

[OWASP] Implement flexible authentication mechanisms

[ISM] API logging and auditing ▼

Web API calls that facilitate modification of data, or access to data not authorised for release into the public domain, are centrally logged.

[OWASP] Enforce data protection throughout its lifecycle

[ISM] Input validation and sanitization ▼

Validation or sanitisation is performed on all input handled by web applications.

[OWASP] Validate all user inputs to prevent injection attacks

[ISM] Output encoding and escaping ▼

Output encoding is performed on all output produced by web applications.

[OWASP] Apply proper output encoding to neutralize untrusted data

[ISM] Database query validation ▼

All queries to databases from web applications are filtered for legitimate content and correct syntax.

[OWASP] Protect database queries from injection attacks

[ISM] Parameterized queries and stored procedures ▼

Parameterised queries or stored procedures, instead of dynamically generated queries, are used by web applications for database interactions.

[OWASP] Ensure proper encoding when safer mechanisms are unavailable

[ISM] Error handling and disclosure control ▼

Web applications are designed or configured to provide as little error information as possible about the structure of databases.

[OWASP] Secure all sensitive credentials and secrets

[ISM] Database query logging and monitoring ▼

All queries to databases from web applications that are initiated by users, and any resulting crash or error messages, are centrally logged.

[OWASP] Enforce strong secret management policies

GOAL3.Software traceability

Software traceability ensures that all components of the software, including their origins and any changes, are documented and tracked. This enables transparency, making it easier to identify vulnerabilities, respond to incidents, and ensure compliance with security and regulatory standards.

[ISM] Software bill of materials ▼

A software bill of materials is produced and made available to consumers of software.

[SSDF] Archive software data for traceability
[SSDF] Safeguard provenance data for transparency

[ISM] Web application logging ▼

Web application crashes and error messages are centrally logged.

[SSDF] Comprehensive security testing

GOAL4.Vulnerability management

An effective vulnerability management process helps identify, report, and resolve vulnerabilities in a timely manner. By implementing a vulnerability disclosure program and setting clear reporting mechanisms, organizations can quickly address security risks and prevent potential exploitation.

[ISM] Vulnerability disclosure program ▼

A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.

[SSDF] Implement an accessible disclosure program

[ISM] Vulnerability disclosure policy ▼

A vulnerability disclosure policy is developed, implemented and maintained.

[SSDF] Develop and update disclosure policies

[ISM] Vulnerability disclosure process ▼

Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained.

[SSDF] Define vulnerability management processes

[ISM] Security information ▼

A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation’s products and services.

[SSDF] Develop a security response playbook and host a security.txt

[ISM] Vulnerability disclosure ▼

Vulnerabilities identified in applications are publicly disclosed (where appropriate to do so) by software developers in a timely manner.

[CISA] Manage responsible reporting processes effectively

[ISM] Vulnerability resolution ▼

Vulnerabilities identified in applications are resolved by software developers in a timely manner.

[SSDF] Analyze vulnerability risks for prioritization
[SSDF] Implement risk-based remediation plans

[ISM] Root cause analysis ▼

In resolving vulnerabilities, software developers perform root cause analysis and, to the greatest extent possible, seek to remediate entire vulnerability classes.

[SSDF] Perform root cause analysis for security
[SSDF] Identify patterns and systemic root causes
[SSDF] Eliminate vulnerability classes proactively
[SSDF] Refine development lifecycle to prevent recurrence