This document is a comprehensive guide developed by the Center for Internet Security (CIS) in collaboration with SAFECode and a community of experts. It provides a practical, evaluable framework to help software development organizations build and verify software security from the ground up. The guide builds on the NIST Secure Software Development Framework (SSDF) and integrates SAFECode’s maturity model, mappings to CIS Critical Security Controls, role-based implementation guidance, artifact-driven verification methods, and risk-based evaluation strategies. It covers six critical areas: secure software design, secure development, secure default configuration, supply chain security, code integrity, and vulnerability remediation. The document also addresses emerging challenges like AI/ML security implications and aligns with national and international initiatives such as the U.S. DHS CISA Secure by Design effort and the EU Cyber Resilience Act, aiming to help developers move from principles to actionable practices and empower end users and government bodies to assess software security confidently.
Home / Function (NIST CSF 2.0) / PR - Protect / PS - Platform / AppSec
CIS Secure by Design: A Guide to Assessing Software Security Practices ★★★★★
This document focuses on:AppSec
Excellent standard on security by design