Shostack + Friends Blog

NIST 800-218 revision

NIST 800-218 wants you!

Secure Software Development Framework (SSDF) Version 1.2: Recommendations for Mitigating the Risk of Software Vulnerabilities

NIST has released an initial public draft of v1.2 of NIST 800-218. If that means nothing to you, move along. Otherwise, you have until Jan 30 to comment. The draft is here. (NIST did not set an unusually short comment period, we’d missed it). ReversingLabs has a story with various perspectives: SSDF 1.2 sees AppSec as a journey. I do wish they’d frame it as software security issues, not software vulnerabilities.

Originally published by Adam on 27 Jan 2026
Categories: security regulation

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.