Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3, and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1078 | Valid Accounts |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1078.001 | Default Accounts |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1078.003 | Local Accounts |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1078.004 | Cloud Accounts |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1134.005 | SID-History Injection |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1482 | Domain Trust Discovery |