Turning Secure Software Development into a Measurable Practice

When CIS and SAFECode first released Secure by Design: A Guide to Assessing Software Security Practices, the goal was clear: provide organizations with practical guidance for evaluating whether software security is truly embedded throughout the development lifecycle. Now, with the release of version 1.1, that guidance has been updated to reflect today's evolving software development landscape, emerging technologies, and growing regulatory expectations.

Rather than introducing a new framework, version 1.1 builds on the original guide's foundation by refining assessment approaches, expanding guidance around artificial intelligence (AI), and aligning with recent developments in software security policy and industry best practices.

Why an Update Was Needed

Since the publication of the original guide, the conversation around Secure by Design has continued to evolve. Government agencies, regulators, software vendors, and customers are increasingly focused on shifting security responsibility toward software manufacturers and reducing vulnerabilities before products reach users. At the same time, AI has rapidly emerged as both a powerful development tool and a new security challenge.

Version 1.1 addresses these developments while maintaining the guide's core mission: helping organizations assess software security practices through real-world evidence rather than theoretical claims. 

What's New in Version 1.1

Expanded Guidance on Artificial Intelligence

The most notable addition in version 1.1 is a dedicated focus on AI's role in software development and security.

The updated guide explores how organizations can use AI to improve threat modeling, identify vulnerabilities, and assist with vulnerability remediation. It also addresses the risks associated with AI-generated code and cautions organizations against treating AI-generated outputs as inherently secure. Instead, AI-produced code should undergo the same review, testing, and validation processes applied to human-written software.

Version 1.1 also introduces discussion of AI-enabled applications, the security considerations surrounding large language models, and emerging concerns related to agentic AI systems. The guidance encourages organizations to take advantage of AI's capabilities while maintaining proven Secure by Design practices. 

Updated Policy and Regulatory References

The Secure by Design ecosystem has matured significantly, and Version 1.1 reflects those changes.

The guide includes updated references to ongoing CISA Secure by Design initiatives, NIST Secure Software Development Framework activities, Executive Order 14306, and the European Union Cyber Resilience Act. These updates help organizations understand how Secure by Design practices align with current and emerging cybersecurity expectations worldwide. 

Enhanced Assessment Resources

A central theme of the guide remains the importance of measurable security practices. Version 1.1 strengthens the connection between Secure by Design principles and the evidence organizations can use to demonstrate implementation.

The updated assessment materials continue to map NIST SSDF practices to:

  • CIS Critical Security Controls®
  • SAFECode Development Groups
  • Organizational roles and responsibilities
  • Development artifacts and evidence required for assessment

This provides organizations with a clearer path for evaluating the maturity and effectiveness of their software security programs. 

The Core Principles Remain Unchanged

While Version 1.1 introduces several important updates, it preserves the six foundational Secure by Design considerations that formed the basis of the original guide:

  • Secure Software Design
  • Secure Development
  • Secure Default Configuration
  • Supply Chain Security
  • Code Integrity
  • Vulnerability Remediation

These six areas continue to provide the framework for building, maintaining, and evaluating secure software throughout its lifecycle.

A Continued Focus on Evidence

One of the guide's distinguishing features is its emphasis on assessment through evidence rather than self-attestation.

Version 1.1 continues to encourage organizations to demonstrate Secure by Design adoption through development artifacts such as threat models, workflow records, vulnerability management data, testing results, source code analysis outputs, and root-cause analysis documentation. By tying security claims to observable evidence, organizations can provide greater confidence to customers, regulators, and other stakeholders. 

Looking Ahead

Secure by Design is not a static initiative. As software development practices evolve, organizations must continuously adapt to new threats, technologies, and operational realities.

Version 1.1 reflects that reality by incorporating lessons learned since the original release and addressing one of the most significant developments facing the software industry today: artificial intelligence. At the same time, it remains grounded in the practical, measurable, and risk-based approach that made the original guide valuable to developers, customers, assessors, and policymakers alike. 

For organizations looking to strengthen software security, evaluate development practices, or align with emerging Secure by Design expectations, Secure by Design v1.1: A Guide to Assessing Software Security Practices provides an updated roadmap for turning software security principles into measurable practice.

As of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost MS-ISAC services no longer applies.