This implementation guideline provides a common language to describe a set of high-level secure software practices to implement the framework. This helps facilitate communications about secure software practices in the framework amongst both internal and external organizational stakeholders, including:
- Business owners, software developers, and cybersecurity professionals within an organization.
- Software consumers that want to define required or desired characteristics for software in their acquisition processes in order to have higher-quality software (particularly with fewer security vulnerabilities).
- Software producers (e.g., commercial-off-the-shelf product vendors, software developers working within or on behalf of software consumer organizations) that want to integrate secure software development practices throughout their SDLCs, express their secure software practices to their customers, or define requirements for their suppliers.
Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Software consumers can reuse and adapt the practices in their software acquisition processes.
Advantages of specifying the practices at a high level include the following:
- Can be used by organizations in any sector or community, regardless of size or cybersecurity sophistication.
- Can be applied to software developed to support information technology (IT) and operational technology (OT).
- Can be integrated into any existing software development workflow and automated tools; should not negatively affect organizations that already have robust secure software development practices in place.
- Makes the practices broadly applicable, not specific to particular technologies, platforms, programming languages, SDLC models, development environments, operating environments, tools, etc.
- Can help an organization document its secure software development baseline today and define its future target baseline as part of its continuous improvement process.
- Can assist an organization currently using a classic software development model (e.g. waterfall) and/or with a modern software development model (e.g., agile, DevOps).