Secure Development
Integrate security into the SDLC.
8 of 9 frameworks cover this control
Framework Mappings
How Secure Development maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.PS-06 |
| ISO 27001 | Covered | A.8.25 A.8.26 A.8.28 |
| CIS v8 | Covered | CIS 16.1 CIS 16.2 |
| SOC 2 | Covered | CC8.1 |
| PCI DSS | Covered | 6.2.1 6.2.2 6.2.3 6.2.4 |
| CMMC | Covered | SA.L2-3.16.1 SA.L2-3.16.2 |
| 800-53 | Covered | SA-3 SA-8 SA-11 SA-15 |
| HIPAA | Not Covered | — |
| GDPR | Covered | Art.25(1) Art.25(2) |
About Secure Development
Secure Development is a cybersecurity control in the Protect domain. Integrate security into the SDLC. Secure development practices embed security throughout the software development lifecycle (SDLC) to identify and remediate vulnerabilities before code reaches production. This includes threat modeling during design, secure coding standards, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA) for third-party dependencies, and code review processes. Shifting security left reduces remediation costs and prevents common vulnerabilities like injection flaws, broken authentication, and insecure deserialization from reaching production environments.
This control is recognized by 8 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR. It is not covered by HIPAA, representing a potential gap for organizations relying solely on that framework.