Home

SSDF

Secure Software Development Framework, or SSDF, is a set of high-level, voluntary practices intended to help organizations integrate security into the software development lifecycle and the software supply chain. Published by the U.S. National Institute of Standards and Technology (NIST) in Special Publication 800-218 in 2020, SSDF provides a structured approach for building, acquiring, and maintaining software with reduced vulnerability risk.

The framework groups guidance into four core practices: Prepare the Organization, Protect the Software, Produce Well-Secured

A key emphasis of SSDF is software supply chain security, including the management of third-party components,

Usage and impact: SSDF is designed as guidance to help organizations establish or evaluate secure software

Software,
and
Respond
to
Vulnerabilities
and
Security
Incidents.
Each
practice
covers
multiple
secure
software
development
activities
that
span
governance,
risk
management,
requirements,
design,
development,
testing,
deployment,
and
ongoing
maintenance.
SSDF
emphasizes
how
security
considerations
should
be
woven
into
every
phase
of
software
creation
and
acquisition,
not
added
as
an
afterthought.
secure
defaults,
configuration,
and
patch
management.
The
framework
is
technology-neutral
and
adaptable
to
various
development
lifecycles,
including
Agile,
DevOps,
and
traditional
waterfall
processes,
making
it
applicable
to
both
product
teams
and
security
professionals.
development
programs.
It
is
not
a
certification
or
compliance
standard,
but
it
can
inform
internal
policies,
vendor
assessments,
and
procurement
criteria.
By
aligning
development
practices
with
SSDF,
organizations
aim
to
reduce
vulnerabilities
and
enhance
resilience
in
their
software
products.