Body of Knowledge
The SCA Body of Knowledge (SCA-BoK)
A summarized version of industry-recognized secure practices — the foundation for CSCAP and CSCAA exam expectations.
Read the BoK
The Secure Code Alliance (SCA) was formed to address the need that organizations have to ensure its developers are aware of and implement Secure Software Development Practices (SSDP) in order to minimize the threat posed by malicious actors against the organization's applications, services, and processes.
The Secure Code Alliance (SCA) addresses two interconnected needs: ensuring software developers possess the technical skills to write secure code, and providing organizations with the means to demonstrate governance over secure development practices.
Through individual certifications (CSCAP and CSCAA) and organizational designations (SDO and CODE), the SCA provides a comprehensive framework that aligns with EO 14028 requirements and NIST SP 800-218 best practices.
.png)
Software developers and architects each face distinct challenges in secure development. The SCA offers two distinct certifications, each tailored to your role and responsibilities.
For software developers who use Secure Development Lifecycle (SDL) processes for new systems, system upgrades, or systems that are being repurposed. Demonstrate technical competence in implementing SSDP day-to-day.
Learn about CSCAPFor software architects who employ cyber resiliency constructs and tailor analytic and lifecycle processes to their environment. Demonstrate strategic security competence.
Learn about CSCAA
Software developers (practitioners) are expected to use Secure Development Lifecycle (SDL) processes for new systems, system upgrades, or systems that are being repurposed.
Individuals who earn a Certified SCA Practitioner (CSCAP) demonstrate a level of competence necessary to ensure that the security of an organization's applications, services, and processes are assessed throughout their operational life to reduce risks to the organization and its clients.
Can you look a client in the eyes and honestly answer that you can currently demonstrate that you know what Secure Software Development Practices (SSDP) are? How can you prove that?
The CSCAP is evidence you can use to demonstrate competence and even compliance with requirements from EO 14028 for SSDP. The training and certification are performed through a Learning Management System (LMS) and upon passing the knowledge exam, your CSCAP certificate will be issued by Accredible.
Learn about CSCAPSoftware architects (architects) are expected to employ cyber resiliency constructs (e.g., goals, objectives, techniques, approaches and design principles), as well as the analytic and lifecycle processes, to tailor them to the technical, operational, and threat environments for which the architect's systems need to be engineered.
Individuals who earn a Certified SCA Architect (CSCAA) certification demonstrate a level of competence necessary to ensure that the security of an organization's applications, services, and processes are assessed throughout their operational life to reduce risks to the organization and its clients.
Can you look a client in the eyes and honestly answer that you can currently demonstrate that you know what Secure Software Development Practices (SSDP) are? How can you prove that?
The CSCAA is evidence you can use to demonstrate competence and even compliance with requirements from EO 14028 for SSDP. The training and certification are performed through a Learning Management System (LMS) and upon passing the knowledge exam, your CSCAA certificate will be issued by Accredible.
Learn about CSCAA
There is a growing need for organizations to be able to demonstrate that at the organization-level it governs secure development practices. The SCA offers two paths.
There are three (3) different levels of SDO. The level depends on the number of SCA Practitioners and SCA Architects employed by the organization.
In addition to the organization-wide SDO designation, organizations can earn the CODE designation, which has two levels of conformity assessment.
Executive Order (EO) 14028, Improving the Nation's Cybersecurity, directs the National Institute of Standards and Technology (NIST) to publish guidance on practices that enhance the security of the software supply chain.
The SCA's framework is designed to give organizations and individuals concrete, defensible evidence of secure development practices.
Federal guidance recommends that purchasers "accept first-party attestation of conformity with SSDF practices unless a risk-based approach determines that second or third-party attestation is required." First-party attestation is recommended for meeting the EO 14028 requirements.
When requesting artifacts of conformance, request high-level artifacts. The software producer should be able to trace the practices summarized in the high-level artifacts to the corresponding low-level artifacts that are generated by those practices.
Training and certification are performed through a Learning Management System (LMS). Upon passing the knowledge exam, your certificate is issued by Accredible.
Select CSCAP, CSCAA, or an organizational program based on your role and goals.
Use industry-recognized secure development practices. Free, open content forms the basis of the exam.
Take the knowledge exam through our LMS. Pay via credit card, debit, or ACH (Stripe). Invoicing available.
Your certificate is issued via Accredible — share it on LinkedIn, print it, or include it in compliance evidence.
A summarized version of industry-recognized secure practices — the foundation for CSCAP and CSCAA exam expectations.
Read the BoKWhy meeting minimum compliance rarely means an application is secure — and how MCC + DSR define MVP security.
Learn moreApplication security controls from EO 14028, PCI DSS v4, CIS v8, CMMC, and more — mapped in one place.
Learn More