NIST has released a draft whitepaper for public comment: "Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)". With the withdraw of NIST SP 800-64, rev 2 "Security Considerations in the System Development Life Cycle" in favor of NIST SP 800-160 this is welcome guidance for Developers. How NIST shapes the guidance through industry and public comment will be interesting given the depth of material in the current draft.
In the paper they define practice areas: 1) Prepare the Organization (PO), 2) Protect the Software (PS), 3)
Produce Well-Secured Software (PW), and 4) Respond to Vulnerability Reports (RV). Then for each practice area there are numbered Tasks, and supporting examples, as well as control traces to industry standards like: BSIMM9, OWASP SAMM, SAFECode, MS SDLC, ISO 27034, and a few others. IMHO BSIMM9 and OWASP SAMM are setting a very high bar for NIST to exceed.
Here''s a link to the draft: