Secure-SDLC Framework Stack

On this page

Question

For most organizations in 2026, is the recommendation “anchor the policy to NIST SSDF and assess current maturity via OWASP SAMM the right approach, or does the 2026 threat surface (AI-augmented attackers, agentic SDLC adoption, AI-component supply chain) require a layered overlay?

Current position

The claim is structurally correct but materially incomplete. It is right about the role split (policy anchor versus maturity assessment) and right about the individual framework choices for traditional secure-SDLC programs. It is incomplete on the threat-model recalibration and AI-component governance that 2026 demands.

Treat SSDF plus SAMM as the foundation, then add the overlay. For organizations not yet building AI products or facing pressure from AI-augmented attackers, the claim is operationally adequate. For organizations on the leading edge of AI adoption, it is a starting point, not a destination.

Supporting evidence: why the foundation is right

The role split between policy framework and maturity model is the right pattern; SSDF and SAMM are the right individual choices for each role.

  • NIST SSDF (SP 800-218 v1.1) is an outcomes-oriented practice framework: four practice groups (PO/PS/PW/RV), regulatory weight (EO 14028, OMB M-22-18), tool-agnostic. It defines target outcomes and does not address maturity progression. Its Table 1 reference column synthesizes from BSAFSS, BSIMM, EO 14028, IEC 62443, ISO 27034, Microsoft SDL, NIST CSF, OWASP ASVS/MASVS/SAMM, PCI Secure SLC, and NIST SP 800-53/160/161/181, making SSDF a consensus cross-walk for the secure-SDLC field.
  • OWASP SAMM v2 is a prescriptive maturity model: five functions, three practices each, three levels, free, vendor-neutral, with an explicit assessment toolkit. It identifies an organization’s current maturity level and prescribes the next improvement steps. See Cybersecurity CMMs Exemplars §SAMM for structural analysis.

The OWASP-to-SSDF crosswalk, maintained since 2022, is referenced by both organizations as a recommended pairing pattern. The 2024 SAMM-BSIMM convergence, recognized in both organizations’ updates, shows that the AppSec community treats prescriptive maturity (SAMM) and descriptive benchmarking (BSIMM) as complementary: SAMM as the target, BSIMM as the industry mirror. Both frameworks are free, vendor-neutral, and US-regulator-aligned; within the surveyed set, neither has a credible alternative on those three dimensions.

For organizations that are US federal contractors, supply-chain participants for federal procurement, or building traditional software with minimal AI integration, the SSDF plus SAMM baseline is mature, defensible, and operationally required.

Counter-evidence: three structural gaps

Three structural gaps in the 2026 evidence base fall outside what SSDF plus SAMM covers.

Gap 1: AI-augmented attacker pace is in neither framework

Both SSDF and SAMM are calibrated against human-paced adversaries and human-paced development cycles. Three May 2026 sources document the shift: XBOW’s Mythos evaluation, Microsoft’s MDASH announcement, and Anthropic’s Glasswing announcement. CrowdStrike CTO Elia Zaitsev, speaking as a Glasswing partner: “The window between a vulnerability being discovered and being exploited by an adversary has collapsed — what once took months now happens in minutes with AI.”1

SSDF practice group PW (Produce Well-Secured Software) and SAMM’s Verification function carry time assumptions calibrated for the pre-AI era. SDLC in the AI-Attacker Era develops the full recalibration argument.

Gap 2: AI-component governance is at best partial

NIST has extended SSDF for AI via NIST SP 800-218A — SSDF Community Profile for GenAI. Table 1 of the Profile tags six tasks [Not part of SSDF 1.1]PO.5.3, PS.1.2, PS.1.3, and the three tasks of the new practice PW.3 (Confirm Integrity of Training, Testing, Fine-Tuning, and Aligning Data: PW.3.1/PW.3.2/PW.3.3) — plus AI-specific recommendations across most existing SSDF tasks (2026-Q2 standards review). It is scoped to AI model development only; deployment and operation of AI systems are explicitly out of scope, as is most of the data-governance life cycle beyond training-data security.

That scope makes SP 800-218A a partial AI overlay, not a complete one. As the standards review confirms, it contributes development-time process tasks, not deployment-time controls: it covers model-artifact protection, training-data integrity, AI threat modeling, and AI shutdown, but leaves the runtime, agent-orchestration, and multi-agent surface to other instruments (NIST AI RMF, ISO 42001, Agentic AI Security CMM). The Agentic AI Security CMM (Dimension D8) cites SP 800-218A alongside CycloneDX 1.6 ML-BOM, SPDX 3.0 AI extension, and EU AI Act Annex IV as supply-chain references.

No AI-specific SAMM extension in the surveyed set

Across the frameworks surveyed for this thesis, OWASP SAMM has no published AI-specific extension as of mid-2026, and no public roadmap for one has been announced.

Per PwC Middle East 2026 data, 38% of surveyed regional teams are Pioneer-tier (≥6 of 7 SDLC stages augmented).2 For these organizations, SSDF plus SAMM does not address AI-BOM and model-artifact integrity, agent identity and non-human identity governance, runtime guardrails for AI components, coding-agent governance, or the collaboration paradox — where HITL functions as the default mode, not an edge-case guardrail.

Gap 3: the productivity and pace mismatch

The METR 2025 RCT (16 experienced developers, 19% slower with AI tools on their own repositories) bounds vendor productivity claims at the experimental level.3 The symmetric implication — that attacker speed claims are also bounded — holds only conditionally: the underlying capability advance is real. The Glasswing announcement discloses a 27-year-old OpenBSD bug, a 16-year-old FFmpeg bug that automated testing tools had hit 5 million times without catching, and an autonomous Linux-kernel privilege-escalation chain.1

The Anthropic 2026 Trends Report addresses the dual-use risk at the strategic level in Trend 8. Priority 4 is “Embedding security architecture as part of agentic system design from the earliest stages,” which the Report treats as a top-four organizational priority.4 Neither SSDF nor SAMM was designed for a context in which a frontier-model vendor names this a strategic priority.

PwC’s data corroborates this: security is the top adoption barrier for GenAI in SDLC, cited by 37.7% of respondents, and PwC’s first recommended enabler is “early compliance guardrails” — treating secure-by-design as the first step.2

For most organizations doing or supporting software development:

LayerPurposeFrameworks
Policy anchorOutcomes; what good looks likeNIST SSDF (SP 800-218 v1.1) + SP 800-218A (AI Profile)
Maturity assessmentWhere am I, what’s nextOWASP SAMM v2 for traditional software; CISA Secure-by-Design for the cultural overlay
AI overlay (if building/deploying AI)AI-specific governanceNIST AI RMF + Agentic AI Security CMM 2026 or IEC 42001
Supply chainProvenance and integritySLSA v1.0 (target L3 for production); CycloneDX SBOM/ML-BOM
Benchmark (optional, large orgs)What peers actually doBSIMM for observation-based benchmarking
Operational alignmentOrg-wide framingNIST CSF 2.0 (Govern function added in 2024)

The original claim captures rows 1 and 2. Rows 3 through 6 are what is missing for organizations on the AI adoption curve.

When the claim is sufficient

The SSDF plus SAMM baseline is the right starting point for organizations that: are US federal contractors or supply-chain participants (SSDF is operationally required via EO 14028 and OMB M-22-18); build traditional software with minimal AI integration; are constrained to free or vendor-neutral tooling; or need a defensible, regulator-recognized baseline. The frameworks are mature, documented, and free, and the 2024 crosswalk lets an organization cite either to auditors. For a median enterprise IT organization in 2026, the pairing is directionally correct and operationally adequate.

When the claim breaks down

The baseline is insufficient for organizations that:

  • Build AI-powered products: they need a NIST AI RMF plus Agentic AI Security CMM or ISO 42001 overlay.
  • Defend against AI-augmented attackers: they need the SDLC-versus-AI-attacker threat model that neither SSDF nor SAMM addresses.
  • Sell into EU markets: they need an EU CRA compliance posture (effective December 2027) with parallel software-security obligations.
  • Are heavy supply-chain participants: they need SLSA-level provenance, which SSDF gestures toward but does not operationalize.
  • Operate at Pioneer tier per PwC’s tiers: they need the Trends Report Priority 4 principle — embedding security architecture from the earliest stages — as a first-class design requirement rather than a tier-3 SAMM line item.

How this position has evolved

  • 2026-05-13 — Seeded in response to a direct claim: “For most organizations, the best approach in 2026 is to anchor the policy to NIST SSDF while using OWASP SAMM to assess current maturity and identify gaps.” Position: structurally correct, materially incomplete, with a layered-stack recommendation.
  • 2026-05-14Microsoft’s SDL-for-AI announcement supplied a vendor precedent for the anchor-plus-AI-overlay pattern this thesis prescribes. Microsoft’s six SDL-for-AI focus areas (threat modeling for AI, AI system observability, AI memory protections, agent identity and RBAC, AI model publishing, AI shutdown mechanisms) overlap substantially with the AI-overlay layer. The structural recommendation gained the precedent without requiring a position change.
  • 2026-05-14 — Direct ingest of NIST SP 800-218 (SSDF v1.1) and SP 800-218A (AI Profile) sharpened two points. SSDF’s Table 1 reference column names Microsoft SDL (MSSDL) as a source, making the Microsoft-SDL-to-SSDF lineage documentary rather than asserted. 218A’s AI scope is narrower than Microsoft SDL’s six focus areas suggest: it covers training-data integrity, model weights, AI threat modeling, AI shutdown and rollback, and continuous dev-environment monitoring, but excludes deployment and operation. The recommended stack composition did not change; the precision of its citations did.
  • 2026-05-15 — A candidate Layer 4½ between supply chain and benchmark: harness-config audit as a CI-gated instrument over the agent harness configuration tree (see Harness Config as Supply-Chain Artifact and Control-Efficacy Gate). Held as a candidate addition until a second, independent instrument lands; the recommended stack did not change.
  • 2026-05-15 — A second candidate layer (Layer 7, AI-driven vulnerability discovery in CI) operating over application source rather than agent configuration, supported by production tools from five vendors converging on a common frame: validation, not rule-based pattern matching, as the architectural primary stage. SSDF practices PW.7 and PW.8 are candidate hosts for a “use AI-driven vuln-discovery” level criterion at a future SSDF v2 or SAMM v3; neither has shipped that language, so the candidate is parked. See the frontier-AI thesis. The recommended six-layer stack stayed unchanged.

Open sub-questions

  • OWASP SAMM v3 — is there a public roadmap for AI-aware extensions to SAMM? None has been announced as of mid-2026, which is a structural risk for SAMM’s long-term relevance.
  • CISA Secure-by-Design maturity — CISA published Secure-by-Design principles but not a maturity model. Whether an org-level Secure-by-Design rubric materializes, and whether it competes with or complements SAMM, is open.
  • EU CRA compliance crosswalk — when CRA enforcement begins December 2027, how do SSDF and SAMM map to CRA’s essential cybersecurity requirements? Cross-walks are likely; quality and binding interpretation are not yet established.
  • SLSA’s relationship to SSDF — SSDF’s PS (Protect Software) gestures at supply-chain integrity and SLSA operationalizes it. Whether a future SSDF v2 absorbs SLSA-grade requirements or the two remain parallel is unresolved.
  • BSIMM versus SAMM in the AI era — BSIMM’s descriptive approach may adapt to AI-era practices faster than SAMM’s prescriptive one because it observes what firms actually do. Worth tracking whether enterprise AppSec programs shift their benchmarking center of gravity.
  • The “most organizations” denominator — per PwC’s 2026 data, 38% of regional teams are already Pioneer-tier. PwC forecasts more than half of regional teams running a fully agentic SDLC by 2027 and two-thirds by 2029; as that share grows, the boundary between “SSDF plus SAMM is sufficient” and “needs the overlay” shifts.2 When does the median enterprise cross over?
  • See Gaps Index for related open questions.

See also

Notes

Footnotes

  1. Anthropic — Project Glasswing, May 12, 2026. CrowdStrike CTO Elia Zaitsev partner citation; disclosed examples include a 27-year-old OpenBSD remote-crash bug, a 16-year-old FFmpeg bug that automated testing tools had hit roughly 5 million times, and an autonomous Linux-kernel privilege-escalation chain. Summary: Project Glasswing. 2

  2. PwC Middle East — The Future of Solutions Development and Delivery in the Rise of GenAI (PDF), 2026. Survey of 377 respondents across the GCC, Jordan, and Egypt: 38.2% Pioneer-tier (≥6 of 7 SDLC stages augmented); security the top adoption barrier at 37.7%; forecast of more than half of regional teams on a fully agentic SDLC by 2027 and two-thirds by 2029. Summary: PwC Middle East 2026 Agentic SDLC Report. 2 3

  3. METR — Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity, July 2025 (arXiv 2507.09089). 16 experienced developers measured 19% slower on familiar codebases when AI tooling was enabled. Summary: METR 2025 RCT.

  4. Anthropic — 2026 Agentic Coding Trends Report (PDF), 2026. Trend 8 (dual-use) and Priority 4 (embedding security architecture from the earliest stages). Summary: 2026 Agentic Coding Trends Report.