Secure by Design: A Guide to Assessing Software Security Practices
Published on October 23, 2025
Software is the foundation of modern business operations, government services, and personal technology – and its security is critical. Yet despite decades of effort, many systems remain vulnerable, and the cybersecurity industry continues to operate in a reactive cycle of patching, configuration management, and incident response.
Secure by Design: A Guide to Assessing Software Security Practices offers a practical, evaluable framework for building and verifying software security from the ground up. Developed by the Center for Internet Security ® (CIS®) in collaboration with the Software Assurance Forum for Excellence in Code (SAFECode) and a community of experts, this guide helps organizations align their development practices with proven security principles.
What’s Inside
This guide builds on the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) and integrates:
- SAFECode’s Development Groups (DGs) maturity model
- Mappings to the CIS Critical Security Controls® (CIS Controls®)
- Role-based implementation guidance
- Artifact-driven verification methods
- Risk-based evaluation strategies
- A focused discussion on artificial intelligence and machine learning (AI/ML) and their implications for software security
It also addresses the evolving landscape of Secure by Design initiatives, including efforts led by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), NIST, and international bodies such as the European Union’s Cyber Resilience Act (CRA).
Who Should Use This Guide
- Software development organizations – Learn what to implement and how to demonstrate conformance.
- End users and customers – Understand what to ask for and how to evaluate software security.
- Government and industry bodies – Identify what to verify when assessing Secure by Design adoption.
Download Package
The guide is delivered as a ZIP archive containing:
- The full white paper (PDF format)
- An accompanying spreadsheet (Microsoft Excel format) detailing implementation activities, artifacts, and role mappings
Note: When you download Secure by Design: A Guide to Assessing Software Security Practices, it will open as a ZIP file containing both the white paper and the supporting spreadsheet.
As of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost MS-ISAC services no longer applies.