ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
NIST SSDF TasksNIST IdentifierOWASP SAMM Activity
2
PO.1.1: Identify and document all security requirements for the organization’s software development infrastructures and processes, and maintain the requirements over time.PO.1.1G-PC-1-A: Define policies and standards
3
G-PC-2-A: Develop test procedures
4
G-PC-1-B: Identify compliance requirements
5
G-PC-2-B: Standardize policy and compliance requirements
6
D-SR-1-A: Identify security requirements
7
D-SR-2-A: Standardize and integrate security requirements
8
PO.1.2: Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.PO.1.2G-PC-1-A: Define policies and standards
9
G-PC-2-A: Develop test procedures
10
G-PC-3-A: Measure compliance to policies and standards
11
G-PC-1-B: Identify compliance requirements
12
G-PC-2-B: Standardize policy and compliance requirements
13
G-PC-3-B: Measure compliance to external requirements
14
D-SR-1-A: Identify security requirements
15
D-SR-2-A: Standardize and integrate security requirements
16
D-SR-3-A: Develop a security requirements framework
17
PO.1.3: Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software.PO.1.3D-SR-1-B: Perform vendor assessments
18
D-SR-2-B: Discuss security responsibilities with suppliers
19
D-SR-3-B: Align security methodology with suppliers
20
PO.2.1: Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed.PO.2.1G-EG-1-B: Identify security champions
21
G-EG-2-B: Implement centers of excellence
22
G-EG-3-B: Establish a security community
23
PO.2.2: Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed.PO.2.2G-EG-1-A: Train all stakeholders for awareness
24
G-EG-2-A: Customize security training
25
G-EG-3-A: Standardize security guidance
26
PO.2.3: Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development- related roles and responsibilities.PO.2.3G-SM-1-A: Identify the organization's risk appetite
27
G-SM-2-A: Define the security strategy
28
G-SM-3-A: Align security and business strategies
29
PO.3.1: Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other.PO.3.1D-SA-1-B: Identify tools and technologies
30
D-SA-2-B: Promote preferred tools and technologies
31
D-SA-3-B: Enforce the use of recommended technologies
32
I-SB-2-A: Automate the build process
33
I-SB-3-A: Enforce a security baseline during build
34
I-SB-2-B: Review application dependencies for security
35
I-SB-3-B: Test application dependencies
36
I-SD-2-A: Automate deployment and integrate security checks
37
I-SD-3-A: Verify the integrity of deployment artifacts
38
I-SD-2-B: Include application secrets during deployment
39
I-SD-3-B: Enforce lifecycle management of application secrets
40
V-ST-1-A: Perform automated security testing
41
PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains.PO.3.2D-SA-1-B: Identify tools and technologies
42
D-SA-2-B: Promote preferred tools and technologies
43
D-SA-3-B: Enforce the use of recommended technologies
44
I-SB-2-A: Automate the build process
45
I-SB-3-A: Enforce a security baseline during build
46
I-SB-2-B: Review application dependencies for security
47
I-SB-3-B: Test application dependencies
48
I-SD-2-A: Automate deployment and integrate security checks
49
I-SD-3-A: Verify the integrity of deployment artifacts
50
I-SD-2-B: Include application secrets during deployment
51
I-SD-3-B: Enforce lifecycle management of application secrets
52
V-ST-2-A: Develop application-specific security test cases
53
PO.3.3: Configure tools to generate artifacts of their support of secure software development practices as defined by the organization.PO.3.3G-PC-3-A: Measure compliance to policies and standards
54
G-PC-3-B: Measure compliance to external requirements
55
D-SA-1-B: Identify tools and technologies
56
D-SA-2-B: Promote preferred tools and technologies
57
D-SA-3-B: Enforce the use of recommended technologies
58
I-SB-2-A: Automate the build process
59
I-SB-3-A: Enforce a security baseline during build
60
I-SB-2-B: Review application dependencies for security
61
I-SB-3-B: Test application dependencies
62
I-SD-2-A: Automate deployment and integrate security checks
63
I-SD-3-A: Verify the integrity of deployment artifacts
64
I-SD-2-B: Include application secrets during deployment
65
I-SD-3-B: Enforce lifecycle management of application secrets
66
V-ST-3-A: Integrate security testing tools in the delivery pipeline
67
PO.4.1: Define criteria for software security checks and track throughout the SDLC.PO.4.1G-PC-1-A: Define policies and standards
68
G-PC-2-A: Develop test procedures
69
G-PC-3-A: Measure compliance to policies and standards
70
V-RT-1-A: Test the effectiveness of security controls
71
V-RT-2-A: Define and run security test cases from requirements
72
V-RT-3-A: Automate security requirements testing
73
PO.4.2: Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria.PO.4.2G-PC-1-A: Define policies and standards
74
G-PC-2-A: Develop test procedures
75
G-PC-3-A: Measure compliance to policies and standards
76
V-RT-1-A: Test the effectiveness of security controls
77
V-RT-2-A: Define and run security test cases from requirements
78
V-RT-3-A: Automate security requirements testing
79
PO.5.1: Separate and protect each environment involved in software development.PO.5.1O-EM-1-A: Use best-effort hardening
80
O-EM-2-A: Establish hardening baselines
81
O-EM-3-A: Perform continuous configuration monitoring
82
I-SD-1-B: Protect application secrets in configuration and code
83
I-SD-2-B: Include application secrets during deployment
84
I-SD-3-B: Enforce lifecycle management of application secrets
85
O-IM-1-A: Use best-effort incident detection
86
O-IM-2-A: Define an incident detection process
87
O-IM-3-A: Improve the incident detection process
88
PO.5.2: Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.PO.5.2O-EM-1-A: Use best-effort hardening
89
O-EM-2-A: Establish hardening baselines
90
O-EM-3-A: Perform continuous configuration monitoring
91
PS.1.1: Store all forms of code – including source
code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.		PS.1.1O-EM-1-A: Use best-effort hardening
92
O-EM-2-A: Establish hardening baselines
93
O-EM-3-A: Perform continuous configuration monitoring
94
I-SD-2-A: Automate deployment and integrate security checks
95
I-SD-3-A: Verify the integrity of deployment artifacts
96
I-SD-1-B: Protect application secrets in configuration and code
97
I-SD-2-B: Include application secrets during deployment
98
I-SD-3-B: Enforce lifecycle management of application secrets
99
PS.2.1: Make software integrity verification information available to software acquirers.PS.2.1I-SD-3-A: Verify the integrity of deployment artifacts
100
PS.3.1: Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.PS.3.1I-SB-3-A: Enforce a security baseline during build