Secure-SDLC Framework Stack
On this page
- Question
- Current position
- Supporting evidence: why the foundation is right
- Counter-evidence: three structural gaps
- The recommended 2026 stack
- When the claim is sufficient
- When the claim breaks down
- How this position has evolved
- Open sub-questions
- See also
- Notes
Question
For most organizations in 2026, is the recommendation “anchor the policy to NIST SSDF and assess current maturity via OWASP SAMM” the right approach, or does the 2026 threat surface (AI-augmented attackers, agentic SDLC adoption, AI-component supply chain) require a layered overlay?
Current position
The claim is structurally correct but materially incomplete. It is right about the role split (policy anchor versus maturity assessment) and right about the individual framework choices for traditional secure-SDLC programs. It is incomplete on the threat-model recalibration and AI-component governance that 2026 demands.
Treat SSDF plus SAMM as the foundation, then add the overlay. For organizations not yet building AI products or facing pressure from AI-augmented attackers, the claim is operationally adequate. For organizations on the leading edge of AI adoption, it is a starting point, not a destination.
Supporting evidence: why the foundation is right
The role split between policy framework and maturity model is the right pattern; SSDF and SAMM are the right individual choices for each role.
- NIST SSDF (SP 800-218 v1.1) is an outcomes-oriented practice framework: four practice groups (PO/PS/PW/RV), regulatory weight (EO 14028, OMB M-22-18), tool-agnostic. It defines target outcomes and does not address maturity progression. Its Table 1 reference column synthesizes from BSAFSS, BSIMM, EO 14028, IEC 62443, ISO 27034, Microsoft SDL, NIST CSF, OWASP ASVS/MASVS/SAMM, PCI Secure SLC, and NIST SP 800-53/160/161/181, making SSDF a consensus cross-walk for the secure-SDLC field.
- OWASP SAMM v2 is a prescriptive maturity model: five functions, three practices each, three levels, free, vendor-neutral, with an explicit assessment toolkit. It identifies an organization’s current maturity level and prescribes the next improvement steps. See Cybersecurity CMMs Exemplars §SAMM for structural analysis.
The OWASP-to-SSDF crosswalk, maintained since 2022, is referenced by both organizations as a recommended pairing pattern. The 2024 SAMM-BSIMM convergence, recognized in both organizations’ updates, shows that the AppSec community treats prescriptive maturity (SAMM) and descriptive benchmarking (BSIMM) as complementary: SAMM as the target, BSIMM as the industry mirror. Both frameworks are free, vendor-neutral, and US-regulator-aligned; within the surveyed set, neither has a credible alternative on those three dimensions.
For organizations that are US federal contractors, supply-chain participants for federal procurement, or building traditional software with minimal AI integration, the SSDF plus SAMM baseline is mature, defensible, and operationally required.
Counter-evidence: three structural gaps
Three structural gaps in the 2026 evidence base fall outside what SSDF plus SAMM covers.
Gap 1: AI-augmented attacker pace is in neither framework
Both SSDF and SAMM are calibrated against human-paced adversaries and human-paced development cycles. Three May 2026 sources document the shift: XBOW’s Mythos evaluation, Microsoft’s MDASH announcement, and Anthropic’s Glasswing announcement. CrowdStrike CTO Elia Zaitsev, speaking as a Glasswing partner: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.”1
SSDF practice group PW (Produce Well-Secured Software) and SAMM’s Verification function carry time assumptions calibrated for the pre-AI era. SDLC in the AI-Attacker Era develops the full recalibration argument.
Gap 2: AI-component governance is at best partial
NIST has extended SSDF for AI via NIST SP 800-218A — SSDF Community Profile for GenAI. Table 1 of the Profile tags six tasks [Not part of SSDF 1.1] — PO.5.3, PS.1.2, PS.1.3, and the three tasks of the new practice PW.3 (Confirm Integrity of Training, Testing, Fine-Tuning, and Aligning Data: PW.3.1/PW.3.2/PW.3.3) — plus AI-specific recommendations across most existing SSDF tasks (2026-Q2 standards review). It is scoped to AI model development only; deployment and operation of AI systems are explicitly out of scope, as is most of the data-governance life cycle beyond training-data security.
That scope makes SP 800-218A a partial AI overlay, not a complete one. As the standards review confirms, it contributes development-time process tasks, not deployment-time controls: it covers model-artifact protection, training-data integrity, AI threat modeling, and AI shutdown, but leaves the runtime, agent-orchestration, and multi-agent surface to other instruments (NIST AI RMF, ISO 42001, Agentic AI Security CMM). The Agentic AI Security CMM (Dimension D8) cites SP 800-218A alongside CycloneDX 1.6 ML-BOM, SPDX 3.0 AI extension, and EU AI Act Annex IV as supply-chain references.
No AI-specific SAMM extension in the surveyed set
Across the frameworks surveyed for this thesis, OWASP SAMM has no published AI-specific extension as of mid-2026, and no public roadmap for one has been announced.
Per PwC Middle East 2026 data, 38% of surveyed regional teams are Pioneer-tier (≥6 of 7 SDLC stages augmented).2 For these organizations, SSDF plus SAMM does not address AI-BOM and model-artifact integrity, agent identity and non-human identity governance, runtime guardrails for AI components, coding-agent governance, or the collaboration paradox — where HITL functions as the default mode, not an edge-case guardrail.
Gap 3: the productivity and pace mismatch
The METR 2025 RCT (16 experienced developers, 19% slower with AI tools on their own repositories) bounds vendor productivity claims at the experimental level.3 The symmetric implication — that attacker speed claims are also bounded — holds only conditionally: the underlying capability advance is real. The Glasswing announcement discloses a 27-year-old OpenBSD bug, a 16-year-old FFmpeg bug that automated testing tools had hit 5 million times without catching, and an autonomous Linux-kernel privilege-escalation chain.1
The Anthropic 2026 Trends Report addresses the dual-use risk at the strategic level in Trend 8. Priority 4 is “Embedding security architecture as part of agentic system design from the earliest stages,” which the Report treats as a top-four organizational priority.4 Neither SSDF nor SAMM was designed for a context in which a frontier-model vendor names this a strategic priority.
PwC’s data corroborates this: security is the top adoption barrier for GenAI in SDLC, cited by 37.7% of respondents, and PwC’s first recommended enabler is “early compliance guardrails” — treating secure-by-design as the first step.2
The recommended 2026 stack
For most organizations doing or supporting software development:
| Layer | Purpose | Frameworks |
|---|---|---|
| Policy anchor | Outcomes; what good looks like | NIST SSDF (SP 800-218 v1.1) + SP 800-218A (AI Profile) |
| Maturity assessment | Where am I, what’s next | OWASP SAMM v2 for traditional software; CISA Secure-by-Design for the cultural overlay |
| AI overlay (if building/deploying AI) | AI-specific governance | NIST AI RMF + Agentic AI Security CMM 2026 or IEC 42001 |
| Supply chain | Provenance and integrity | SLSA v1.0 (target L3 for production); CycloneDX SBOM/ML-BOM |
| Benchmark (optional, large orgs) | What peers actually do | BSIMM for observation-based benchmarking |
| Operational alignment | Org-wide framing | NIST CSF 2.0 (Govern function added in 2024) |
The original claim captures rows 1 and 2. Rows 3 through 6 are what is missing for organizations on the AI adoption curve.
When the claim is sufficient
The SSDF plus SAMM baseline is the right starting point for organizations that: are US federal contractors or supply-chain participants (SSDF is operationally required via EO 14028 and OMB M-22-18); build traditional software with minimal AI integration; are constrained to free or vendor-neutral tooling; or need a defensible, regulator-recognized baseline. The frameworks are mature, documented, and free, and the 2024 crosswalk lets an organization cite either to auditors. For a median enterprise IT organization in 2026, the pairing is directionally correct and operationally adequate.
When the claim breaks down
The baseline is insufficient for organizations that:
- Build AI-powered products: they need a NIST AI RMF plus Agentic AI Security CMM or ISO 42001 overlay.
- Defend against AI-augmented attackers: they need the SDLC-versus-AI-attacker threat model that neither SSDF nor SAMM addresses.
- Sell into EU markets: they need an EU CRA compliance posture (effective December 2027) with parallel software-security obligations.
- Are heavy supply-chain participants: they need SLSA-level provenance, which SSDF gestures toward but does not operationalize.
- Operate at Pioneer tier per PwC’s tiers: they need the Trends Report Priority 4 principle — embedding security architecture from the earliest stages — as a first-class design requirement rather than a tier-3 SAMM line item.
How this position has evolved
- 2026-05-13 — Seeded in response to a direct claim: “For most organizations, the best approach in 2026 is to anchor the policy to NIST SSDF while using OWASP SAMM to assess current maturity and identify gaps.” Position: structurally correct, materially incomplete, with a layered-stack recommendation.
- 2026-05-14 — Microsoft’s SDL-for-AI announcement supplied a vendor precedent for the anchor-plus-AI-overlay pattern this thesis prescribes. Microsoft’s six SDL-for-AI focus areas (threat modeling for AI, AI system observability, AI memory protections, agent identity and RBAC, AI model publishing, AI shutdown mechanisms) overlap substantially with the AI-overlay layer. The structural recommendation gained the precedent without requiring a position change.
- 2026-05-14 — Direct ingest of NIST SP 800-218 (SSDF v1.1) and SP 800-218A (AI Profile) sharpened two points. SSDF’s Table 1 reference column names Microsoft SDL (
MSSDL) as a source, making the Microsoft-SDL-to-SSDF lineage documentary rather than asserted. 218A’s AI scope is narrower than Microsoft SDL’s six focus areas suggest: it covers training-data integrity, model weights, AI threat modeling, AI shutdown and rollback, and continuous dev-environment monitoring, but excludes deployment and operation. The recommended stack composition did not change; the precision of its citations did. - 2026-05-15 — A candidate Layer 4½ between supply chain and benchmark: harness-config audit as a CI-gated instrument over the agent harness configuration tree (see Harness Config as Supply-Chain Artifact and Control-Efficacy Gate). Held as a candidate addition until a second, independent instrument lands; the recommended stack did not change.
- 2026-05-15 — A second candidate layer (Layer 7, AI-driven vulnerability discovery in CI) operating over application source rather than agent configuration, supported by production tools from five vendors converging on a common frame: validation, not rule-based pattern matching, as the architectural primary stage. SSDF practices PW.7 and PW.8 are candidate hosts for a “use AI-driven vuln-discovery” level criterion at a future SSDF v2 or SAMM v3; neither has shipped that language, so the candidate is parked. See the frontier-AI thesis. The recommended six-layer stack stayed unchanged.
Open sub-questions
- OWASP SAMM v3 — is there a public roadmap for AI-aware extensions to SAMM? None has been announced as of mid-2026, which is a structural risk for SAMM’s long-term relevance.
- CISA Secure-by-Design maturity — CISA published Secure-by-Design principles but not a maturity model. Whether an org-level Secure-by-Design rubric materializes, and whether it competes with or complements SAMM, is open.
- EU CRA compliance crosswalk — when CRA enforcement begins December 2027, how do SSDF and SAMM map to CRA’s essential cybersecurity requirements? Cross-walks are likely; quality and binding interpretation are not yet established.
- SLSA’s relationship to SSDF — SSDF’s PS (Protect Software) gestures at supply-chain integrity and SLSA operationalizes it. Whether a future SSDF v2 absorbs SLSA-grade requirements or the two remain parallel is unresolved.
- BSIMM versus SAMM in the AI era — BSIMM’s descriptive approach may adapt to AI-era practices faster than SAMM’s prescriptive one because it observes what firms actually do. Worth tracking whether enterprise AppSec programs shift their benchmarking center of gravity.
- The “most organizations” denominator — per PwC’s 2026 data, 38% of regional teams are already Pioneer-tier. PwC forecasts more than half of regional teams running a fully agentic SDLC by 2027 and two-thirds by 2029; as that share grows, the boundary between “SSDF plus SAMM is sufficient” and “needs the overlay” shifts.2 When does the median enterprise cross over?
- See Gaps Index for related open questions.
See also
- Microsoft Secure Development Lifecycle (SDL) — vendor-authored secure-SDLC framework that implements the anchor-plus-AI-overlay pattern this thesis prescribes.
- Microsoft SDL — the source paper for that announcement.
- Cybersecurity CMM Exemplars and Design Lessons — examines CMMI, BSIMM, SAMM, CMMC, and NIST CSF 2.0 with per-exemplar structural analysis.
- Agentic AI Security CMM 2026 — a CMM built on lessons from those exemplars.
- PwC Stage-Coverage Tiers — maturity model on the GenAI-in-SDLC adoption-breadth axis.
- SDLC in the AI-Attacker Era — thesis on why secure SDLC requires recalibration for AI-augmented adversaries.
- Security Controls for AI Stacks — thesis on the six-layer control landscape for AI systems.
- Anthropic 2026 Agentic Coding Trends Report — vendor source for Priority 4 on embedding security architecture in agentic system design.
- PwC Middle East 2026 Agentic SDLC Report — advisory source reporting security as the top GenAI-in-SDLC adoption barrier, cited by 37.7% of respondents.
Notes
Footnotes
-
Anthropic — Project Glasswing, May 12, 2026. CrowdStrike CTO Elia Zaitsev partner citation; disclosed examples include a 27-year-old OpenBSD remote-crash bug, a 16-year-old FFmpeg bug that automated testing tools had hit roughly 5 million times, and an autonomous Linux-kernel privilege-escalation chain. Summary: Project Glasswing. ↩ ↩2
-
PwC Middle East — The Future of Solutions Development and Delivery in the Rise of GenAI (PDF), 2026. Survey of 377 respondents across the GCC, Jordan, and Egypt: 38.2% Pioneer-tier (≥6 of 7 SDLC stages augmented); security the top adoption barrier at 37.7%; forecast of more than half of regional teams on a fully agentic SDLC by 2027 and two-thirds by 2029. Summary: PwC Middle East 2026 Agentic SDLC Report. ↩ ↩2 ↩3
-
METR — Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity, July 2025 (arXiv 2507.09089). 16 experienced developers measured 19% slower on familiar codebases when AI tooling was enabled. Summary: METR 2025 RCT. ↩
-
Anthropic — 2026 Agentic Coding Trends Report (PDF), 2026. Trend 8 (dual-use) and Priority 4 (embedding security architecture from the earliest stages). Summary: 2026 Agentic Coding Trends Report. ↩