Software development fundamentals

Further information on a secure software development framework can be found in National Institute of Standards and Technology Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities.

Further information on Secure by Design and Secure by Default principles and practices can be found in the following publications:

• ASD’s Secure by Design foundations
• ASD’s IoT Secure by Design guidance for manufacturers
• United Kingdom’s National Cyber Security Centre’s Secure development and deployment guidance
• United Kingdom’s Central Digital and Data Office’s Secure by Design Principles and Secure by Design Activities
• United States’ Cybersecurity & Infrastructure Security Agency’s Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers
• United States’ Cybersecurity & Infrastructure Security Agency’s Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.

Further information on secure programming practices is available from the Carnegie Mellon University’s Software Engineering Institute.

Further information on the need for memory-safe programming languages can be found the following publications:

• United States’ Cybersecurity & Infrastructure Security Agency’s The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously
• United States’ Cybersecurity & Infrastructure Security Agency’s Exploring Memory Safety in Critical Open Source Projects
• United States’ National Security Agency’s Software Memory Safety
• United States’ National Security Agency and Cybersecurity & Infrastructure Security Agency’s Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development.

Further information on cyber supply chain transparency, and recommended content for a software bill of materials, can be found in the United States’ National Telecommunications and Information Administration’s The Minimum Elements For a Software Bill of Materials (SBOM) publication.

Further information on software bill of materials can also be found in the United States’ Cybersecurity & Infrastructure Security Agency’s A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity publication.

Further information on strong authentication can be found in the ‘Authentication hardening’ section of the Guidelines for system hardening.

Further information on software security testing can be found on the Open Worldwide Application Security Project’s (OWASP) DevSecOps Guidelines and Source Code Analysis Tools websites.

Further information on implementing a vulnerability disclosure program can be found in the following publications:

• Google’s Starting a Vulnerability Disclosure Program
• Carnegie Mellon University’s Software Engineering Institute’s The CERT Guide to Coordinated Vulnerability Disclosure
• International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology – Security techniques – Vulnerability disclosure
• International Organization for Standardization/International Electrotechnical Commission 30111:2019, Information technology – Security techniques – Vulnerability handling processes.

Further information on developing a vulnerability disclosure policy is available from the disclose.io project to assist an organisation with their implementation.

Further information on recommended contents for a ‘security.txt’ file is available to assist an organisation with their implementation.

Further information on reporting vulnerabilities to ASD as an independent coordinator, including ASD’s limited use obligation, is available from ASD.

Further information on event logging can be found in the ‘Event logging and monitoring’ section of the Guidelines for system monitoring.