August 3, 2022

Last Updated on January 19, 2024

What exactly is a Software Development Life Cycle, or SDLC, and how does NIST’s Secure Software Development Framework impact the lifecycle your organization uses?

The SSDF will definitely impact you if your software is used by the US Government and will likely impact you even if it isn’t. However, a few choice practices can help make sense of these two critical processes and provide the highest chance for success.

Elzar Camper, Director of Cyber Security Solutions & Practices at Pivot Point Security, unpacks the SSDF. He shares the four practices and associated tasks that comprise SSDF, lays out the shifting landscape of government regulations and software development, and explains the non-prescriptive process of applying SSDF guidance to current SDLCs.

Defining SDLC and the SSDF

A SDLC is a methodology that ranges in formality depending on the context that outlines software design, creation, and maintenance. Without a robust, documented and repeatable SDLC, it would be difficult or impossible to ensure software integrity and long-term viability.

While almost every software developed involves an SDLC, it’s essential to ensure that whatever SDLC approach you use can be adapted to support improved security for both the software code and the development environment itself.

Every piece of software interacts with a different range of users and data and has unique risks.

Security controls may seem to hinder the speed of development in some SDLCs. But guidelines and practices to keep security at the forefront is increasingly vital to competitive success. Further, waiting until near the end of the SDLC to begin evaluating security ultimately costs more development time and resources than focusing on security from the beginning.

What about SSDF? Before security controls are introduced comprehensively into the SDLC, it’s vital to understand the gap between your current practices and the security functions that are “in scope” for your software.

SSDF is four practices made up of 42 tasks that outline for businesses how to improve overall software integrity. The SSDF does not dictate how your SDLC should operate. Instead, it serves as a roadmap to be integrated at a practical pace into existing and future software development activities.

Four core SSDF practices

The four practices make up the cornerstones of SSDF. These are the points of focus that the 42 tasks relate to.

The SSDF practices include:

  1. Prepare the organization
  2. Protect the software
  3. Produce well-secured software
  4. Respond to vulnerabilities

Each practice includes related tasks that provide a roadmap to success and can be customized based on an application’s risk profile.

While each of these practices and associated tasks is vital in achieving integrity and security in software development, a software security program cannot succeed without “tone at the top;” that is, executive buy-in.

“You can have all the policies and procedures and changes you want. But if no one thinks it’s important, and no one’s pushing it, it’s not going to go anywhere.” — Elzar Camper

Failing to support secure software development practices across your Dev program means that security will continue to falter in favor of minimizing time to market. But in today’s world, it’s not just time to market that’s important to success, but also provable security.

SSDF Implementation and how to use it to your advantage

The SSDF is not intended to be a cumbersome obstacle in software development. While implementing some of these pillars and notions into current SDLC practices may take an investment of time and resources, they will ultimately lead to an advantage against competitors.

Implementing NIST’s SSDF as soon as feasible will create more robust software with greater integrity that is more easily and quickly defended against threats.

This creates software that is more likely to be utilized by the government. The additional safety practices implemented in software design, creation, and maintenance can offer tremendous advantages, even if it takes a little longer to complete the development cycle.

Jumping in and weaving SSDF practices into existing SDLC systems is vital to ensure optimal competitive advantage as well as regulatory compliance.

“The first conversation you have to have is that important scoping and boundary conversation, and understand what the application is doing.” — Elzar Camper

Implementing SSDF should not require a complete overhaul of development systems and workflows. Instead, it will provide a roadmap that will ultimately fuel increased security and integrity.

What’s next?

To listen to the podcast episode on the NIST SSDF with Elzar Camper, click here.

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!