Home
Browse frameworks
Contact us
SAMMY premium
Sign in
SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIST SSDF
Browse NIST SSDF
AIMA
ASVS
BSIMM 15
CIS Critical Security Controls
Cloud Controls Matrix
Cybersecurity Fundamentals
Cybersecurity Fundamentals 2.0
DSOMM
NIS2
NIST 800-171 Rev 2
NIST 800-171 Rev 3
NIST 800-34
NIST 800-53 v5
NIST CSF 2.0
NIST SSDF
OpenSAMM1.5
SAMM
Secure Controls Framework
Prepare the Organization
Define Security Requirements for Software Development
Implement Roles and Responsibilities
Implement Supporting Toolchains
Define and Use Criteria for Software Security Checks
Implement and Maintain Secure Environments for Software Development
Protect Software
Protect All Forms of Code from Unauthorized Access and Tampering
Provide a Mechanism for Verifying Software Release Integrity
Archive and Protect Each Software Release
Produce Well-Secured Software
Design Software to Meet Security Requirements and Mitigate Security Risks
Review the Software Design to Verify Compliance with Security Requirements and Risk Information
Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality
Create Source Code by Adhering to Secure Coding Practices
Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security
Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Configure Software to Have Secure Settings by Default
Respond to Vulnerabilities
Identify and Confirm Vulnerabilities on an Ongoing Basis
Assess, Prioritize, and Remediate Vulnerabilities
Analyze Vulnerabilities to Identify Their Root Causes
PO.3.1
PO.3.2
PO.3.3
Tool Best Practices
PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains.
Example 1: Evaluate, select, and acquire tools, and assess the security of each tool.
Example 2: Integrate tools with other tools and existing software development processes and workflows.
Example 3: Use code-based configuration for toolchains (e.g., pipelines-as-code, toolchains-as-code).
Example 4: Implement the technologies and processes needed for reproducible builds.
Example 5: Update, upgrade, or replace tools as needed to address tool vulnerabilities or add new tool capabilities.
Example 6: Continuously monitor tools and tool logs for potential operational and security issues, including policy violations and anomalous behavior.
Example 7: Regularly verify the integrity and check the provenance of each tool to identify potential problems.
Example 8: See PW.6.1 and PW.6.2 regarding compiler, interpreter, and build tools and their hardening.
Example 9: See PO.5.1 and PO.5.2 regarding implementing and maintaining secure environments.
CMMI Maturity
Not Applicable - Not applicable
Level 1: Initial - Unpredictable and reactive. Work gets completed but is often delayed and over budget.
Level 2: Managed - Managed on the project level. Projects are planned, performed, measured, and controlled.
Level 3: Defined - Proactive, rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
Level 4: Quantitatively Managed - Measured and controlled. Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
Level 5: Optimized - Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization’s stability provides a platform for agility and innovation.
Not applicable
Level 1: Initial
Level 2: Managed
Level 3: Defined
Level 4: Quantitatively Managed
Level 5: Optimized
Description
Follow recommended security practices to deploy, operate, and maintain tools and toolchains.