Home
Browse frameworks
Contact us
SAMMY premium
Login
SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIST SSDF
Browse NIST SSDF
SAMM
OpenSAMM1.5
ISO 27001 (Deprecated)
Cybersecurity Fundamentals
NIST CSF 2.0
NIST SSDF
NIST 800-34
DSOMM
BSIMM 14
Prepare the Organization
Define Security Requirements for Software Development
Implement Roles and Responsibilities
Implement Supporting Toolchains
Define and Use Criteria for Software Security Checks
Implement and Maintain Secure Environments for Software Development
Protect Software
Protect All Forms of Code from Unauthorized Access and Tampering
Provide a Mechanism for Verifying Software Release Integrity
Archive and Protect Each Software Release
Produce Well-Secured Software
Design Software to Meet Security Requirements and Mitigate Security Risks
Review the Software Design to Verify Compliance with Security Requirements and Risk Information
Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality
Create Source Code by Adhering to Secure Coding Practices
Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security
Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Configure Software to Have Secure Settings by Default
Respond to Vulnerabilities
Identify and Confirm Vulnerabilities on an Ongoing Basis
Assess, Prioritize, and Remediate Vulnerabilities
Analyze Vulnerabilities to Identify Their Root Causes
PO.3.1: Tool Selection
PO.3.2: Tool Best Practices
PO.3.3: Tool Configuration to Generate Artifacts
Tool Best Practices
PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains.
Example 1: Evaluate, select, and acquire tools, and assess the security of each tool.
Example 2: Integrate tools with other tools and existing software development processes and workflows.
Example 3: Use code-based configuration for toolchains (e.g., pipelines-as-code, toolchains-as-code).
Example 4: Implement the technologies and processes needed for reproducible builds.
Example 5: Update, upgrade, or replace tools as needed to address tool vulnerabilities or add new tool capabilities.
Example 6: Continuously monitor tools and tool logs for potential operational and security issues, including policy violations and anomalous behavior.
Example 7: Regularly verify the integrity and check the provenance of each tool to identify potential problems.
Example 8: See PW.6.1 and PW.6.2 regarding compiler, interpreter, and build tools and their hardening.
Example 9: See PO.5.1 and PO.5.2 regarding implementing and maintaining secure environments.
CMMI Maturity
Not Applicable - Not applicable
Level 1: Initial - Unpredictable and reactive. Work gets completed but is often delayed and over budget.
Level 2: Managed - Managed on the project level. Projects are planned, performed, measured, and controlled.
Level 3: Defined - Proactive, rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
Level 4: Quantitatively Managed - Measured and controlled. Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
Level 5: Optimized - Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization’s stability provides a platform for agility and innovation.
Not applicable
Level 1: Initial
Level 2: Managed
Level 3: Defined
Level 4: Quantitatively Managed
Level 5: Optimized
Description
Follow recommended security practices to deploy, operate, and maintain tools and toolchains.