The Secure Code Alliance (SCA) was formed to address the need that organizations have to ensure its developers are aware of and implement Secure Software Development Practices (SSDP) in order to minimize the threat posed by malicious actors against the organization’s Applications, Services and Processes (ASP).

The SCA’s conformity assessment is the Developing Security & Privacy by Design (DSPD) initiative. The DSPD is an effort to promote transdisciplinary competency for developers to deliver trustworthy ASP. This concept of competency is focused on a practitioner’s or architect’s ability to:

• Work with stakeholders to ensure that security objectives, protection needs/concerns, security requirements and associated validation methods are defined;
• Define security and privacy requirements, including associated verification methods;
• Develop security views and viewpoints of the system architecture and design;
• Identify and assess susceptibilities and vulnerabilities to lifecycle hazards and adversities;
• Design proactive and reactive features and functions encompassed within a balanced strategy to control asset loss and associated loss consequences;
• Provide security considerations to inform systems engineering efforts with the objective to reduce errors, flaws and weaknesses that may constitute a security vulnerability;
• Perform system security analyses and interprets the results of system security-relevant analyses in support of decision-making for engineering trades and risk management;
• Identify, quantify and evaluate the costs and benefits of security features and functions and considerations to inform assessments of alternative solutions, engineering trade-offs and risk treatment decisions;
• Demonstrate through evidence-based reasoning that security and trustworthiness claims for the system have been satisfied; and
• Leverage multiple security and other specialties to address all feasible solutions.

SCA Body of Knowledge (SCA-BoK)

For reference materials, the SCA’s intent is to leverage freely-available content that are available at no cost to the public. In the realm of SSDP, there are certain voluntary consensus standards that are important to consider as industry-recognized practices and those primarily include, but are not limited to:

• NIST SP 800-218
• NIST SP 800-160 Vol 1
• NIST SP 800-160 Vol 2
• OWASP Top Ten
• ISO/IEC/IEEE 15288 (as referenced by NIST SP 800-160 vol 1)
• Microsoft Security Development Lifecycle

Secure Software Development Framework (SSDF)

Few Software Development Life Cycle (SDLC) models explicitly address software security in detail, so it is necessary to add Secure Software Development Practices (SSDP) to each SDLC model to ensure that the application has adequate security and data protections “baked-in” during the development process. The SCA recognizes the Secure Software Development Framework (SSDF) as a core set of high-level SSDP that can be integrated into a SDLC methodology. The SSDF offers multiple benefits that includes:

• Reducing the number of vulnerabilities in released software;
• Reducing the potential impact of the exploitation of undetected or unaddressed vulnerabilities;
• Addressing the root causes of vulnerabilities to prevent future recurrences;
• Providing a common vocabulary for SSDP; and
• Reduce miscommunications or assumption with parties in acquisition processes and other management activities.

SSDP are applicable for the following types of technology assets:

• Operating Systems (OS);
• Firmware;
• Mobile device apps;
• General-purpose or multi-use systems (e.g., Enterprise Information Technology (EIT));
• Dedicated or special-purpose systems (e.g., security-dedicated/purposed systems), such as Operational Technology (OT) devices that used in industrial/manufacturing systems that includes:
  • Industrial Control Systems (ICS);
  • Supervisory Control and Data Acquisition (SCADA) systems;
  • Programmable Logic Controllers (PLCs);
  • Computerized Numerical Control (CNC) devices;
  • Cyber-Physical Systems (CPS);
  • Machine controllers;
  • Fabricators;
  • Assemblers; and
  • Machining technologies; and
• Internet of Things (IoT) / Industrial Internet of Things (IIoT) that are interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability and programmability features that includes:
  • Wearable technologies;
  • Security systems;
  • Lighting;
  • Heating
  • Air conditioning; and
  • Fire / smoke detectors.

Mission

The SCA’s mission is to improve the awareness and adherence to Secure Software Development Practices (SSDP) by application developers and architects through operating a conformity assessment methodology that:

• Spans the design, development and maintenance of Applications, Services and Processes (ASP);
• Educates applicants through reinforcing reasonably-expected security and privacy principles, based on voluntary consensus standards that considered developer-specific industry-recognized practices; and
• Leverages an online platform to test applicants on subject matter expertise that awards the applicant with a Certificate of Conformity (CoC) upon receiving a successful score.

Vision

The SCA’s vision is that organizations from all industries ensure that the development of Applications, Services and Processes (ASP) employ adequate security and privacy measures throughout the Software Development Life Cycle (SDLC) to ensure security and privacy-related risks are identified and remediated appropriately.

The SCA’s conformity assessment methodology is designed with these concepts in mind:

• Identify the discipline basics for Secure Software Development Practices (SSDP) in terms of its principles, concepts and activities; and
• Foster a common mindset to deliver secure Applications, Services and Processes (ASP), regardless of its purpose, type, scope, size, complexity, or stage of the SDLC.

Strategy

The SCA’s strategy is to:

• Operate a cost-effective and meaningful conformity assessment methodology, the Developing Security & Privacy by Design (DSPD) initiative; and
• Certify individuals for competency among application developers and architects. There are two certifications available:
• Certified SCA Practitioner (CSCAP) (designed for developer roles)
• Certified SCA Architect (CSCAA) (designed for application architecture roles)

The DSPD initiative is focused on developing a conformity assessment methodology that addresses:

• “Practitioner-level competency” among developers; and
• “Expert-level competency” among architects.