SCA BoK

SCA Body of Knowledge (SCA-BoK) & Reference Materials

The SCA references numerous leading frameworks and standards for Secure Software Development Practices (SSDP) in an effort to provide “industry-recognized secure practices” references. These voluntary consensus standards, most publicly available at no cost, are referenced by the SCA's conformity assessment.

Secure Code Alliance Body of Knowledge (SCA-BoK)

The SCA-BoK is a summarized version of these industry-recognized secure practices that provides expectations for knowledge / competency associated with the Certified SCA Practitioner (CSCAP) and Certified SCA Architect (CSCAA) roles.

Industry-Recognized Secure Practices

For industry-recognized secure practices, the SCA’s intent is to leverage freely-available content that are available at no cost to the public. In the realm of secure development practices, there are certain voluntary consensus standards that are important to consider as industry-recognized practices and those primarily include, but are not limited to:

• NIST SP 800-160 Vol 1 Rev 1  (Engineering Trustworthy Secure Systems)
• NIST SP 800-160 Vol 2  Rev 1 (Developing Cyber Resilient Systems: A Systems Security Engineering Approach)
• NIST SP 800-218  (Secure Software Development Framework)
• NIST SP 800-218A (AI overlay for NIST SP 800-218's SSDF)
• ISO/IEC/IEEE 15288 (Systems and software engineering — System life cycle processes)
• OWASP Top Ten  
• Microsoft Security Development Lifecycle

Useful References

For reference materials, the following material can be valuable:

• Common Weakness Enumeration (CWE): Software Development
• DevOps.com
• Integrated Controls Management (ICM)