Secure Software Alliance (SSA)

Software is everywhere: in our homes, businesses, organizations software is present. Almost all services in our society are dependent on software. Innovations like cloud, internet of things, artificial intelligence are impossible without software.

However, we hardly know about the security of the software used in all these contexts. It is difficult for most organizations and end-users to assess security of software. The impact of vulnerabilities in software are often on the frontpage of our media: data taken hostage by ransomware, coordinated attacks by hacked IoT devices, vulnerabilities in industrial installations and sometimes even cyberattacks on our public infrastructure.

Security of Software is the most important requirement for trust in our IT-devices and services. However, software security is not or difficult to determine for an outsider. 

Software is at the heart of our society: online services, cloud and important innovations like internet of things and artificial intelligence. Often we do not know how secure the software is driving these applications


Our goal is to make security of software measurable, manageable and controllable. So that parties can provide assurance to the user of software that software is safe enough for the context in which software is used and the risks a user is willing to accept.

The SSA published the first version of the Secure Software Framework (SSF) in 2015. It is since then applied in several software development contexts. The framework was updated with the Agile software development processes in mind. In 2018 the SSA published an international in-depth publication about the framework and its backgrounds. SSA owns and manages the framework.

Basic assumption of the SSA is that security of software is not only a technical issue, but also an organizational. Security of software requires involvement of the developer and the user of software. When is software secure enough for application in a specific context?

SSA phases

If software security is measurable, manageable and controllable, software users can consciously make decisions (based on the interests of business and organization processes weighted against the risks of software) and, moreover, take measures to control risks.