BSAFSS | Compliance | Fluid Attacks Help

BSAFSS

logo

Summary

The BSA Framework for Secure Software (BFAFSS) offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry. The framework also helps software development organizations describe the current state and target state of software security in individual software security products and services. The version used in this section is BSAFSS v1.1, September 2020.

Definitions

Definition Requirements
SC_3-2. Secure Coding (secure software against unsafe functions) 160. Encode system outputs
173. Discard unsafe inputs
SC_3-3. Secure Coding (secure software against unsafe functions) 029. Cookies with security attributes
173. Discard unsafe inputs
SC_4-1. Secure Coding (software architecture and design) 374. Use of isolation methods in running applications
SM_2-1. Measures to ensure visibility, traceability, and security of third-party components 262. Verify third-party components
SM_3-1. Supply chain data is protected 176. Restrict system objects
329. Keep client-side storage without sensitive data
SM_3-2. Supply chain data is protected 181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
SM_4-1. Software measures to prevent counterfeiting and tampering 178. Use digital signatures
266. Disable insecure functionalities
SM_4-2. Software measures to prevent counterfeiting and tampering 229. Request access credentials
SM_6-1. Deployment procedures ensure that the usages of software are established 176. Restrict system objects
TC_1-2. Developed software using security tools 062. Define standard configurations
TC_1-6. Developed software using security tools 062. Define standard configurations
222. Deny access to the host essential
IA_1-1. Software development environment authenticates users and operators 122. Validate credential ownership
228. Authenticate using standard protocols
229. Request access credentials
236. Establish authentication time
264. Request authentication
IA_1-2. Software development environment authenticates users and operators 114. Deny access with inactive credentials
127. Store hashed passwords
IA_2-1. Policies to control access to data and processes 095. Define users with privileges
IA_2-2. Policies to control access to data and processes 096. Set user's required privileges
SI_1-2. Avoid architectural weaknesses of authentication failure 156. Source code without sensitive information
266. Disable insecure functionalities
SI_1-3. Avoid architectural weaknesses of authentication failure 319. Make authentication options equally secure
SI_1-4. Avoid architectural weaknesses of authentication failure 329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
SI_1-5. Avoid architectural weaknesses of authentication failure 134. Store passwords with salt
185. Encrypt sensitive information
SI_2-1. Strong identity 228. Authenticate using standard protocols
EN_1-1. Encryption strategy and mechanisms 185. Encrypt sensitive information
EN_2-3. Avoid weak encryption 145. Protect system cryptographic keys
EN_2-4. Avoid weak encryption 148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
EN_2-5. Avoid weak encryption 147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
EN_3-1. Software protects and validates encryption keys 146. Remove cryptographic keys from RAM
EN_3-2. Software protects and validates encryption keys 089. Limit validity of certificates
093. Use consistent certificates
145. Protect system cryptographic keys
361. Replace cryptographic keys
EN_3-3. Software protects and validates encryption keys 090. Use valid certificates
093. Use consistent certificates
364. Provide extended validation (EV) certificates
AA_1-1. Principle of least privilege 186. Use the principle of least privilege
AA_1-2. Authorization and access controls 035. Manage privilege modifications
AA_1-3. Authorization and access controls 114. Deny access with inactive credentials
229. Request access credentials
264. Request authentication
AA_2-1. Authorization and access (support controls) 035. Manage privilege modifications
LO_1-2. Logging of all critical security incident and event information 075. Record exceptional events in logs
LO_1-3. Logging of all critical security incident and event information 079. Record exact occurrence time of events
376. Register severity level
LO_2-2. Implement securely logging mechanisms 080. Prevent log modification
LO_2-3. Implement securely logging mechanisms 083. Avoid logging sensitive data
LO_2-4. Implement securely logging mechanisms 160. Encode system outputs
173. Discard unsafe inputs
EE_1-3. Error and exception handling capabilities 075. Record exceptional events in logs
077. Avoid disclosing technical information
VM_3-2. Vulnerability management 181. Transmit data using secure protocols
338. Implement perfect forward secrecy
CF_1-4. Secure software installation and operation 142. Change system default credentials
VN_1-2. Vulnerability notification and patching 262. Verify third-party components
VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages) 262. Verify third-party components
VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages) 301. Notify configuration changes
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.