NIST 800 218 SSDF Compliant PROJECT DESCRIPTION
This project follows NIST SP 800-218 Secure Software Development Framework (SSDF) practices for secure software development.
- PO (Prepare Organization): Secure development environment with
.devcontainer - PS (Protect Software): Version control security, vulnerability disclosure process
- PW (Produce Well-Secured Software): Secure coding, comprehensive testing, secure defaults
- RV (Respond to Vulnerabilities): Automated vulnerability detection and response procedures
# Build the project
cargo build
# Run tests
cargo test
# Run security checks
./scripts/security-test.shThis project implements comprehensive security testing as required by NIST SP 800-218 PW.2.1 and PW.5.2.
# Rust security lints
cargo clippy --all-targets -- -D warnings
# Dependency vulnerability scanning
cargo audit
# License and policy enforcement
cargo deny check
# Unsafe code detection
cargo geiger
# External static analysis
semgrep --config=auto .The project includes OWASP ZAP integration for automated security testing:
# Run DAST scan against running application
security-test-dast http://localhost:8080
# Run with custom report directory
security-test-dast http://localhost:8080 /workspace/custom-reports
# Manual ZAP operations
zap-baseline.py -t http://localhost:8080 -n .zap/context.xml -c .zap/rules.tsvDAST scanning uses project-specific ZAP configurations:
.zap/context.xml: Defines scan scope, technology stack, and authentication.zap/rules.tsv: Configures security rules aligned with NIST 800-218 requirements
The DAST scanner automatically detects and uses these configurations for consistent security testing across the team.
Fuzzing is implemented using cargo-fuzz to test input validation and error handling robustness:
# Install fuzzing toolchain (done automatically in devcontainer)
cargo install cargo-fuzz
rustup install nightly
# Initialize fuzzing (if not already done)
cargo fuzz init
# Run fuzzing tests
cargo fuzz run config_parser # Fuzz configuration parsing
cargo fuzz run api_inputs # Fuzz API input validation
# Run fuzzing with time limit (recommended for CI/CD)
cargo fuzz run config_parser -- -max_total_time=60 # 60 seconds
cargo fuzz run api_inputs -- -max_total_time=300 # 5 minutes
# Review fuzzing results
cargo fuzz cmin config_parser # Minimize corpus
cargo fuzz tmin config_parser # Minimize individual inputsCurrent fuzzing targets include:
config_parser: Tests configuration file parsing robustnessapi_inputs: Tests API input validation and error handling- Add additional targets in
fuzz/fuzz_targets/as needed
- Run regularly: Include fuzzing in CI/CD pipeline with time limits
- Review crashes: All fuzzing crashes indicate potential security issues
- Minimize corpus: Regularly minimize fuzzing corpus for efficiency
- Add coverage: Create fuzz targets for all input parsing functions
Run all security tests together:
# Complete security test suite (SAST + DAST + Fuzzing)
security-test-all
# Manual comprehensive testing
cargo clippy --all-targets -- -D warnings
cargo audit
cargo deny check
cargo fuzz run config_parser -- -max_total_time=60
security-test-dast http://localhost:8080- Memory Safety: Written in Rust to prevent buffer overflows and memory corruption
- Input Validation: All inputs are validated at entry points with comprehensive fuzzing
- Secure Defaults: All configurations default to secure settings
- Dependency Scanning: Automated vulnerability scanning of dependencies
- SBOM Generation: Software Bill of Materials for supply chain transparency
- Audit Logging: Comprehensive security event logging
- Dynamic Security Testing: Automated OWASP ZAP scanning for runtime vulnerabilities
- Fuzzing Coverage: Property-based testing for input validation robustness
This project uses a NIST SP 800-218 compliant development environment with:
- Rust toolchain with security-focused configuration
- Security tools: cargo-audit, cargo-deny, cargo-geiger, cargo-fuzz
- OWASP ZAP for dynamic application security testing
- Static analysis: semgrep, clippy with security lints
- Fuzzing support: cargo-fuzz with nightly toolchain
# Open in VS Code with devcontainer
code .
# Or rebuild devcontainer if already open
Ctrl+Shift+P -> "Dev Containers: Rebuild Container"
# Verify security tools installation
cargo audit --version
zap --version
cargo fuzz --version-
Write secure code following Rust security best practices
-
Run security tests before committing:
./scripts/security-test.sh
-
Review security reports generated in
/workspace/security-reports/ -
Address vulnerabilities identified by automated testing
-
Update security configurations as needed (
.zap/directory)
Security testing generates comprehensive reports:
/workspace/security-reports/
├── zap-baseline-report.html # DAST scan results (human-readable)
├── zap-baseline-report.json # DAST scan results (machine-readable)
├── fuzz-results/ # Fuzzing crash reports and corpus
├── audit-results.json # Dependency vulnerability scan
└── semgrep-results.sarif # Static analysis results
This project uses a NIST SP 800-218 compliant development environment. See SECURITY_CHECKLIST.md for daily security practices.
- Run
security-test-allbefore pushing changes - Review security reports for new vulnerabilities
- Update dependencies regularly with
cargo update - Add fuzz targets for new input parsing functionality
- Configure ZAP rules for new API endpoints
Detailed NIST SP 800-218 implementation documentation is available in:
docs/compliance/nist-800-218/- Complete SSDF practice implementationSECURITY.md- Vulnerability disclosure and security policydocs/security/- Security architecture and configuration guides
Licensed under ScanSet Federal, Inc