Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II

Best Secure Software Development Frameworks/Methodologies

Hello everyone,


I'm currently doing some research into the secure systems/software development frameworks/methodologies that are currently in use.


I'm wondering what frameworks, if any, people in the (ISC)2 community might recommend and why they would recommend them. I would greatly appreciate any useful insights the community could share with me.


Thanks in advance!


- Darin

3 Replies
Contributor II



In order to develop hack-resilient software, it is important to incorporate security concepts in the requirements, design, code, release and disposal phases of the SDLC. Security concepts span across the entire life cycle and will need to be addressed in each phase.


Microsoft has created a strategy that is referred as the SD3+C, this stands for Secure by Design, Secure by Default, secure by Deployment and communication


There is no single framework that addresses for all. The requirements will be changed from project to project.


For example you can use BSIMM/SSMM during the requirement/design phase


BSIMM is short for Building Security In Maturity Model. The BSIMM is a study of real-world software security initiatives organized so that you can determine where you stand with your software security initiative and how to evolve your efforts over time. BSIMM provides some good guidance for secure operations (such as penetration testing, software configuration, configuration management and vulnerability management) during deployment.


Threat modeling Frameworks you can use during design phase

Open Source Security Testing Methodology Manual (OSSTMM) during testing phase


You can use other NIST/ISO standards


NIST Special Publication (SP 800-18) provides guidance for the development of security plans, incorporating security requirements and controls into the plan


The ISO/IEC 15408 Standard and Software Security
ISO/IEC 21827:2008 – Systems Security Engineering Capability Maturity Model (SSE-CMM)

ISO/IEC 27002:2005 – Code of Practice for Information Security Management

Payment Card Industry Data Security Standard (PCI DSS)

and so forth


DevOps is also a good methodology to incorporate security 



Chandra Mouli, CISSP, CCSP, CSSLP
Viewer II

Hi Mouli,


Thank you for sharing your insight. It's much appreciated!


I'm aware of almost all of the frameworks/methodologies you've mentioned here. It's good to see I'm on the right track! 🙂


- Darin

Newcomer I

Hello Darin !


You might also gaze on the OWASP Secure Software Development Lifecycle Project (


There you´ll find a solid security software methodology for web applications as well as tools and guidelines.


I hope this helps!