A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | NIST SSDF Tasks | NIST Identifier | OWASP SAMM Activity | ||||||||||||||||||||||||
2 | PO.1.1: Identify and document all security requirements for the organization’s software development infrastructures and processes, and maintain the requirements over time. | PO.1.1 | G-PC-1-A: Define policies and standards | ||||||||||||||||||||||||
3 | G-PC-2-A: Develop test procedures | ||||||||||||||||||||||||||
4 | G-PC-1-B: Identify compliance requirements | ||||||||||||||||||||||||||
5 | G-PC-2-B: Standardize policy and compliance requirements | ||||||||||||||||||||||||||
6 | D-SR-1-A: Identify security requirements | ||||||||||||||||||||||||||
7 | D-SR-2-A: Standardize and integrate security requirements | ||||||||||||||||||||||||||
8 | PO.1.2: Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time. | PO.1.2 | G-PC-1-A: Define policies and standards | ||||||||||||||||||||||||
9 | G-PC-2-A: Develop test procedures | ||||||||||||||||||||||||||
10 | G-PC-3-A: Measure compliance to policies and standards | ||||||||||||||||||||||||||
11 | G-PC-1-B: Identify compliance requirements | ||||||||||||||||||||||||||
12 | G-PC-2-B: Standardize policy and compliance requirements | ||||||||||||||||||||||||||
13 | G-PC-3-B: Measure compliance to external requirements | ||||||||||||||||||||||||||
14 | D-SR-1-A: Identify security requirements | ||||||||||||||||||||||||||
15 | D-SR-2-A: Standardize and integrate security requirements | ||||||||||||||||||||||||||
16 | D-SR-3-A: Develop a security requirements framework | ||||||||||||||||||||||||||
17 | PO.1.3: Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software. | PO.1.3 | D-SR-1-B: Perform vendor assessments | ||||||||||||||||||||||||
18 | D-SR-2-B: Discuss security responsibilities with suppliers | ||||||||||||||||||||||||||
19 | D-SR-3-B: Align security methodology with suppliers | ||||||||||||||||||||||||||
20 | PO.2.1: Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed. | PO.2.1 | G-EG-1-B: Identify security champions | ||||||||||||||||||||||||
21 | G-EG-2-B: Implement centers of excellence | ||||||||||||||||||||||||||
22 | G-EG-3-B: Establish a security community | ||||||||||||||||||||||||||
23 | PO.2.2: Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed. | PO.2.2 | G-EG-1-A: Train all stakeholders for awareness | ||||||||||||||||||||||||
24 | G-EG-2-A: Customize security training | ||||||||||||||||||||||||||
25 | G-EG-3-A: Standardize security guidance | ||||||||||||||||||||||||||
26 | PO.2.3: Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development- related roles and responsibilities. | PO.2.3 | G-SM-1-A: Identify the organization's risk appetite | ||||||||||||||||||||||||
27 | G-SM-2-A: Define the security strategy | ||||||||||||||||||||||||||
28 | G-SM-3-A: Align security and business strategies | ||||||||||||||||||||||||||
29 | PO.3.1: Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other. | PO.3.1 | D-SA-1-B: Identify tools and technologies | ||||||||||||||||||||||||
30 | D-SA-2-B: Promote preferred tools and technologies | ||||||||||||||||||||||||||
31 | D-SA-3-B: Enforce the use of recommended technologies | ||||||||||||||||||||||||||
32 | I-SB-2-A: Automate the build process | ||||||||||||||||||||||||||
33 | I-SB-3-A: Enforce a security baseline during build | ||||||||||||||||||||||||||
34 | I-SB-2-B: Review application dependencies for security | ||||||||||||||||||||||||||
35 | I-SB-3-B: Test application dependencies | ||||||||||||||||||||||||||
36 | I-SD-2-A: Automate deployment and integrate security checks | ||||||||||||||||||||||||||
37 | I-SD-3-A: Verify the integrity of deployment artifacts | ||||||||||||||||||||||||||
38 | I-SD-2-B: Include application secrets during deployment | ||||||||||||||||||||||||||
39 | I-SD-3-B: Enforce lifecycle management of application secrets | ||||||||||||||||||||||||||
40 | V-ST-1-A: Perform automated security testing | ||||||||||||||||||||||||||
41 | PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains. | PO.3.2 | D-SA-1-B: Identify tools and technologies | ||||||||||||||||||||||||
42 | D-SA-2-B: Promote preferred tools and technologies | ||||||||||||||||||||||||||
43 | D-SA-3-B: Enforce the use of recommended technologies | ||||||||||||||||||||||||||
44 | I-SB-2-A: Automate the build process | ||||||||||||||||||||||||||
45 | I-SB-3-A: Enforce a security baseline during build | ||||||||||||||||||||||||||
46 | I-SB-2-B: Review application dependencies for security | ||||||||||||||||||||||||||
47 | I-SB-3-B: Test application dependencies | ||||||||||||||||||||||||||
48 | I-SD-2-A: Automate deployment and integrate security checks | ||||||||||||||||||||||||||
49 | I-SD-3-A: Verify the integrity of deployment artifacts | ||||||||||||||||||||||||||
50 | I-SD-2-B: Include application secrets during deployment | ||||||||||||||||||||||||||
51 | I-SD-3-B: Enforce lifecycle management of application secrets | ||||||||||||||||||||||||||
52 | V-ST-2-A: Develop application-specific security test cases | ||||||||||||||||||||||||||
53 | PO.3.3: Configure tools to generate artifacts of their support of secure software development practices as defined by the organization. | PO.3.3 | G-PC-3-A: Measure compliance to policies and standards | ||||||||||||||||||||||||
54 | G-PC-3-B: Measure compliance to external requirements | ||||||||||||||||||||||||||
55 | D-SA-1-B: Identify tools and technologies | ||||||||||||||||||||||||||
56 | D-SA-2-B: Promote preferred tools and technologies | ||||||||||||||||||||||||||
57 | D-SA-3-B: Enforce the use of recommended technologies | ||||||||||||||||||||||||||
58 | I-SB-2-A: Automate the build process | ||||||||||||||||||||||||||
59 | I-SB-3-A: Enforce a security baseline during build | ||||||||||||||||||||||||||
60 | I-SB-2-B: Review application dependencies for security | ||||||||||||||||||||||||||
61 | I-SB-3-B: Test application dependencies | ||||||||||||||||||||||||||
62 | I-SD-2-A: Automate deployment and integrate security checks | ||||||||||||||||||||||||||
63 | I-SD-3-A: Verify the integrity of deployment artifacts | ||||||||||||||||||||||||||
64 | I-SD-2-B: Include application secrets during deployment | ||||||||||||||||||||||||||
65 | I-SD-3-B: Enforce lifecycle management of application secrets | ||||||||||||||||||||||||||
66 | V-ST-3-A: Integrate security testing tools in the delivery pipeline | ||||||||||||||||||||||||||
67 | PO.4.1: Define criteria for software security checks and track throughout the SDLC. | PO.4.1 | G-PC-1-A: Define policies and standards | ||||||||||||||||||||||||
68 | G-PC-2-A: Develop test procedures | ||||||||||||||||||||||||||
69 | G-PC-3-A: Measure compliance to policies and standards | ||||||||||||||||||||||||||
70 | V-RT-1-A: Test the effectiveness of security controls | ||||||||||||||||||||||||||
71 | V-RT-2-A: Define and run security test cases from requirements | ||||||||||||||||||||||||||
72 | V-RT-3-A: Automate security requirements testing | ||||||||||||||||||||||||||
73 | PO.4.2: Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria. | PO.4.2 | G-PC-1-A: Define policies and standards | ||||||||||||||||||||||||
74 | G-PC-2-A: Develop test procedures | ||||||||||||||||||||||||||
75 | G-PC-3-A: Measure compliance to policies and standards | ||||||||||||||||||||||||||
76 | V-RT-1-A: Test the effectiveness of security controls | ||||||||||||||||||||||||||
77 | V-RT-2-A: Define and run security test cases from requirements | ||||||||||||||||||||||||||
78 | V-RT-3-A: Automate security requirements testing | ||||||||||||||||||||||||||
79 | PO.5.1: Separate and protect each environment involved in software development. | PO.5.1 | O-EM-1-A: Use best-effort hardening | ||||||||||||||||||||||||
80 | O-EM-2-A: Establish hardening baselines | ||||||||||||||||||||||||||
81 | O-EM-3-A: Perform continuous configuration monitoring | ||||||||||||||||||||||||||
82 | I-SD-1-B: Protect application secrets in configuration and code | ||||||||||||||||||||||||||
83 | I-SD-2-B: Include application secrets during deployment | ||||||||||||||||||||||||||
84 | I-SD-3-B: Enforce lifecycle management of application secrets | ||||||||||||||||||||||||||
85 | O-IM-1-A: Use best-effort incident detection | ||||||||||||||||||||||||||
86 | O-IM-2-A: Define an incident detection process | ||||||||||||||||||||||||||
87 | O-IM-3-A: Improve the incident detection process | ||||||||||||||||||||||||||
88 | PO.5.2: Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach. | PO.5.2 | O-EM-1-A: Use best-effort hardening | ||||||||||||||||||||||||
89 | O-EM-2-A: Establish hardening baselines | ||||||||||||||||||||||||||
90 | O-EM-3-A: Perform continuous configuration monitoring | ||||||||||||||||||||||||||
91 | PS.1.1: Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access. | PS.1.1 | O-EM-1-A: Use best-effort hardening | ||||||||||||||||||||||||
92 | O-EM-2-A: Establish hardening baselines | ||||||||||||||||||||||||||
93 | O-EM-3-A: Perform continuous configuration monitoring | ||||||||||||||||||||||||||
94 | I-SD-2-A: Automate deployment and integrate security checks | ||||||||||||||||||||||||||
95 | I-SD-3-A: Verify the integrity of deployment artifacts | ||||||||||||||||||||||||||
96 | I-SD-1-B: Protect application secrets in configuration and code | ||||||||||||||||||||||||||
97 | I-SD-2-B: Include application secrets during deployment | ||||||||||||||||||||||||||
98 | I-SD-3-B: Enforce lifecycle management of application secrets | ||||||||||||||||||||||||||
99 | PS.2.1: Make software integrity verification information available to software acquirers. | PS.2.1 | I-SD-3-A: Verify the integrity of deployment artifacts | ||||||||||||||||||||||||
100 | PS.3.1: Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release. | PS.3.1 | I-SB-3-A: Enforce a security baseline during build |