Safeguard
DevSecOps

Embedding security-by-design into DevSecOps risk management across the SDLC

NIST's SSDF turns 'shift left' into eleven concrete practices — but a framework on paper doesn't stop a bad merge. Here's how to make it enforceable.

Safeguard Research Team
Research
7 min read

NIST published Special Publication 800-218, the Secure Software Development Framework (SSDF), in February 2022, organizing security-by-design work into four groups of practices — Prepare the Organization, Protect the Software, Produce Well-Secured Software, and Respond to Vulnerabilities — and a draft revision has circulated since late 2025 to tighten several of those practices. Two years later, at RSA Conference in May 2024, CISA launched its Secure by Design pledge with 68 initial signatories, including AWS, Microsoft, Google, Cisco, and IBM, committing to measurable, publicly reported progress on goals like eliminating default passwords and increasing MFA adoption. Both efforts point at the same gap: writing security principles down is not the same as making them stick in a pipeline that ships dozens of times a day. Verizon's 2024 Data Breach Investigations Report found vulnerability exploitation grew roughly 180% year-over-year as a breach entry vector, reaching 14% of all breaches — driven substantially by mass exploitation events like MOVEit — which is hard evidence that catching flaws late, in production, is no longer a viable primary control. This post walks through what it actually takes to move security-by-design from a policy document into gates that run inside the SDLC itself.

What does NIST's SSDF actually require teams to do?

SSDF's four practice groups translate into specific, auditable actions rather than abstract principles. "Prepare the Organization" (PO) requires defined security requirements and toolchains before code is written. "Protect the Software" (PS) covers access control over source and build systems and integrity verification of released artifacts. "Produce Well-Secured Software" (PW) is the largest group — it mandates threat modeling, static and dynamic analysis, and reviewing third-party components for known vulnerabilities before release. "Respond to Vulnerabilities" (RV) requires a documented remediation process with defined timeframes. Executive Order 14028 (May 2021) made SSDF conformance and SBOM production a practical requirement for vendors selling software to the U.S. federal government, which is why many enterprises now ask suppliers for an SSDF attestation alongside a security questionnaire. The framework itself doesn't specify tooling — it specifies outcomes, which is precisely why teams struggle to prove they're actually meeting it without pipeline-level evidence.

Why isn't a security policy document enough on its own?

A policy document has no enforcement mechanism — it describes intent, not behavior, and intent doesn't stop a pull request from merging. This is the core reason CISA frames Secure by Design as a set of measurable commitments rather than a checklist: signatories publish progress against specific goals (default password elimination, MFA adoption rates, CVE transparency) precisely because unmeasured pledges tend to stay unmeasured. The DBIR's 180% jump in exploitation-driven breaches makes the operational stakes concrete: teams that rely on annual pen tests or quarterly policy reviews are, by construction, blind for months at a time to exactly the vulnerability classes attackers exploit fastest after disclosure. Security-by-design only becomes real when a specific rule — no critical CVE on CISA's Known Exploited Vulnerabilities list ships to production, no unsigned image gets admitted to a cluster — is evaluated automatically at a specific point in the pipeline, with a recorded pass/fail outcome, rather than trusted to a developer's memory of a wiki page.

Where in the SDLC should security controls actually be enforced?

Effective programs enforce controls at several distinct points rather than one late gate, because each point catches a different failure mode. Pre-commit or IDE-level checks catch hardcoded secrets and obviously vulnerable packages before they ever reach shared history. Commit and CI gates evaluate SBOM completeness, license compliance, and CVE severity against policy before a build is allowed to proceed — this is where a SAST or SCA finding above an agreed severity threshold should fail the pipeline outright rather than generate a ticket for later. Registry-push and Kubernetes admission checks re-verify that an image still matches policy immediately before it runs, closing the gap between "built" and "deployed" where drift or a newly disclosed CVE can slip in. Runtime monitoring, typically via eBPF collectors, then watches for behavioral drift from the approved baseline after deployment. Each layer produces a decision — allow, warn, or block — and a signed, auditable record of that decision, which is what turns "we have a policy" into "we can prove the policy held" for an auditor or a customer's security questionnaire.

How do maturity models like SAMM and BSIMM fit into this?

OWASP SAMM (Software Assurance Maturity Model) and BSIMM (Building Security In Maturity Model) remain the two dominant, publicly documented frameworks for benchmarking how mature a security-by-design program actually is, and both score organizations across governance, design, implementation, verification, and operations domains rather than treating "secure" as binary. Neither model tells you which specific scanner to run; both tell you whether your organization has, say, formalized threat modeling as a repeatable practice (a SAMM Design-domain criterion) versus doing it ad hoc when someone remembers. Teams building an SSDF-aligned program often use SAMM or BSIMM as the diagnostic layer — identifying which practice groups are weakest — before deciding where to invest in tooling or automation. The two models are complementary with SSDF rather than redundant: SSDF specifies what secure practices look like, SAMM/BSIMM measure how consistently and maturely an organization actually performs them, and neither substitutes for the pipeline-level enforcement that turns a scored maturity assessment into a daily operational control.

What does it mean to gate risk decisions with policy-as-code instead of manual review?

Policy-as-code means risk decisions — block, warn, or auto-remediate — are expressed as versioned, machine-evaluated rules instead of a human re-litigating the same judgment call on every pull request. A rule like "block any production image containing a CVE on CISA's KEV list" or "require a CycloneDX SBOM attestation signed within the last 90 days" can be written once, applied uniformly across every repository and pipeline, and evaluated automatically at commit, CI, registry-push, and admission time. This directly operationalizes SSDF's PW (Produce Well-Secured Software) and RV (Respond to Vulnerabilities) practice groups: a policy engine evaluating SBOM, vulnerability, license, signature, and reachability data together can distinguish a theoretical CVE in an unreachable code path from one an attacker can actually trigger, which matters because manual triage queues rarely have the bandwidth to make that distinction at scale. Time-boxed exceptions with named approvers, rather than permanent carve-outs, keep the model workable for legitimate edge cases without quietly reopening the gate for everything else.

How Safeguard helps

Safeguard implements this model directly rather than leaving teams to stitch it together from separate tools. Guardrails are defined as YAML policies with BLOCK, WARN, or AUTO_FIX effects and enforced at six points in the lifecycle — IDE, commit, CI, registry, Kubernetes admission, and runtime — with every decision written to a signed audit record an auditor can replay later. The safeguard gate CLI step fails a CI build outright when a blocking rule matches, evaluating SBOM, CVE, license, signing, and SLSA-provenance data in one pass instead of five disconnected checks. First-party SAST and DAST results share a unified findings model with SCA and reachability analysis, so a policy can act on "this CVE is both critical and actually reachable" rather than raw scanner output — and TPRM extends the same guardrails to vendor SBOM intake, letting a procurement gate require SSDF-practice attestation before a contract is signed. That combination is what turns SSDF and Secure by Design from a document teams reference during an audit into a set of controls their pipeline enforces every day.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.