Compliance Glossary

The NIST Secure Software Development Framework, or NIST SP 800-218, is a set of practices employed by NIST to be embedded in the development cycle of software. The framework promotes the concept of “security-by-design,” which supports developers in discovering and solving vulnerabilities at every stage of development. This approach reduces the chances that released software harbors undiscovered vulnerabilities and actively addresses the root causes of those vulnerabilities to make the software more resilient.

There are four core activities of the SSDF:

1. Prepare the Organization: It focuses on establishing a culture that is security-oriented and preparing training programs for the security teams based on security best practices.
2. Protect the Software: This phase of the handbook tells organizations what should be done to protect the software throughout its lifecycle and includes secure coding practices, code review, and more.
3. Produce Well-Secured Software: In this phase, defects are discovered and fixed at design stage and tested continuously at the time of development.
4. Address Vulnerabilities: This involves patch management and incident responses in a way that every vulnerability found can be solved and addressed to maintain the integrity and security of the software even after release.

The SSDF accommodates other NIST frameworks into its system to thereby create a holistic approach for software security.