top of page

How SSDF can guide DevSecOps in a security-first mobile and web application development

SSDF stands for Software Security Development Framework, which is a set of guidelines and best practices for implementing security throughout the software development lifecycle (SDLC).

You can find more details about SSDF guidelines in this link, published by the National Institute of Standards and Technology (NIST). This is not a country-specific list, so it provides a comprehensive roadmap for making sure your stakeholders are on the same wavelength.

A minimalist cycle diagram showing the SSDF cycle and its step-wise elements
NIST Secure Software Development Framework

Is SSDF directly related to code level cybersecurity?

Not directly, but it does provide guidance and best practices for incorporating security considerations into the development process. It can also include guidelines for writing secure code, as well as for implementing security testing and other security controls throughout the SDLC within your organization, taking the human factor into consideration.

It can also provide a comprehensive and flexible approach to software security, from the early stages of development to maintenance and support. It covers all the phases of the SDLC, from requirements, design, implementation, testing, deployment, and maintenance. Moreover, SSDF provides a common language and framework for software security with different approaches, enabling teams to communicate more effectively and execute more efficiently, since everyone becomes aligned on the same cycle of identification, analysis and mitigation throughout the SDLC.

Are there mobile and web specific frameworks for secure development?

Indeed! There are various frameworks/libraries to implement code-level cybersecurity during your ADLC/SDLC. It is challenging to curate every library out there, but here is a list of the most widely implemented libraries and frameworks. It is worth noting that such frameworks commonly follow the Open Web Application Security Project (OWASP)'s* top 10 list of application security risks, which functions as a helpful starting point for identifying and mitigating security threats within your code.

5 popular mobile and web application code level security frameworks

  • Spring Security is a framework for Java-based web applications that provides a wide range of security features such as authentication, access control, and cryptography. It is easily integrated with other Spring frameworks such as Spring MVC and Spring Boot.

  • Django Security is a popular web framework for Python and its built-in security features include protection against cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks, as well as password hashing and session management.

  • Express-validator is a middleware that can be used with Node.js and Express to validate incoming request data. It supports a wide variety of validation checks including email validation, URL validation and many more.

  • Crypto-js is a JavaScript library that provides a variety of cryptographic functions such as encryption, decryption, and hashing. It can be used to protect sensitive data in web applications.

  • Passport is an authentication middleware for Node.js that supports a wide variety of authentication strategies, including OAuth and OpenID Connect.

Just to reiterate, this is NOT a comprehensive list, the previous list contains commonly implemented code-level security libraries/frameworks in application development. Use cases may differ from one application to the other and they might not be appropriate for all development scenarios.

* OWASP (Open Web Application Security Project)

For the top 10 Application Security Risks in 2021 see this post