Welcome to the SSDF page, before continuing please first login by clicking the LOGIN\REGISTER link top-right to access the 'SSDF Playbook & Video Download', 2024 requirements documentation including cost estimates and lessons learned.
In 2020 there was a cyberattack compromising data, networks, and systems of thousands of businesses. While EPRI was not directly affected, it revealed risks and potential vulnerabilities that can occur in the software development process. EPRI is taking “our obligation to safeguard information very seriously and is thoroughly committed to managing and protecting sensitive industry information.”
As a result, EPRI has developed this Secure Software Development Framework (SSDF) Playbook with the objective to “provide assurance for our members that EPRI is performing necessary due diligence for its software deliverables, and it’s safe for download/use". This Playbook provides guidance during software development with the objective to perform security checks earlier and more often during development so by the time it is submitted there are no or very few issues.
The Playbook was created through collaboration with IT and R&D leaders, architects, and engineers. The project was broken into 2 parts:
- Part 1 with a short-term goal to identify risks in existing software and remediate.
- Part 2 with a long-term goal to identify the process and strategy to support secure software development at EPRI. The objective was to:
- Define the Future State Vision and Strategy for EPRI software development.
- Acquire tools and develop frameworks and process for a secure software development lifecycle (SSDLC) at EPRI.
To create this playbook EPRI identified the 12 leading practices which could be implemented in order to increase our software security in the DevSecOps model, leading to the development of EPRI’s SSDF Life Cycle. The Life Cycle starts with review of this site, moves on to developer onboarding, setup of the development environment, code development and security scanning, submittal for testing, deliverable approval and distribution.
This SSDF Playbook centralizes the 12 practices and is downloadable in both presentation and short video format (15 minute walkthrough):
The Secure Software Development Framework (SSDF) project presents:
- SSDF Playbook Requirements for 2024 - The software development requirements based on the SSDF Playbook Life Cycle.
- SSDF SAST & DAST Scan Requirements for 2024 - The security scan requirements (e.g., SAST and DAST) for Desktop and Subscriber Website (SWS) deliverables.
- SSDF Playbook Process Cost Estimate - The cost estimate document provides expectations for cost and resource requirements, highlighting the costs in 2025 to implement the new requirements. This document provides budgeting guidance to R&D Project Managers (PM) for 2025.
- SSDF Lessons Learned in 2023 - This document provides the lessons learned in 2023 around software development (e.g., SWS Pipelines) and application security scanning (e.g., Checkmarx).