Last fall, SAFECode collaborated with the Center for Internet Security to create “Secure by Design: A Developer’s Guide to Building Safer Software.” The guide and an accompanying spreadsheet build on the NIST Secure Software Development Framework (SSDF) to advise software development organizations about specific activities that they should undertake and specific artifacts they should produce in the process of creating secure software. The guide has received considerable interest since its release and underlies a new ETSI standard on software security.
The original Secure by Design guide provided only general guidance on the role of artificial intelligence in software security. The last nine months have seen a great deal of change in the capabilities and role of AI in detecting and remediating software vulnerabilities, and we believed that there was more that we should say on that subject. The development of the ETSI standard also revealed a few places where the guide and accompanying spreadsheet should be clarified or made more consistent and a few “bugs” that needed to be fixed. We’ve also received some feedback on the guide from SAFECode and CIS members and from other readers.
In response to the changes and feedback outlined above, CIS and SAFECode have now released Version 1.1 of the Secure by Design guide and spreadsheet. The new guide includes more specific guidance on AI and software security, is consistent in content with the new ETSI standard, and corrects the errors that have been discovered since the release of original version.
Download the Guide and Spreadsheet below. The download is a Zip file that contains a PDF of the guide and an XLSX of the spreadsheet.
As always, we’re interested in your reactions and feedback.
Steve Lipner
SAFECode Executive Director
As of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost MS-ISAC services no longer applies.