Unauthorised access to the authoritative source for software is prevented.
Establish comprehensive security criteria for software checks to enable robust and consistent access control throughout the Software Development Life Cycle (SDLC). These criteria should define clear policies and procedures for access management, ensuring that only authorized individuals and processes can interact with software components at every stage of development, testing, deployment, and maintenance. Additionally, conduct thorough reviews and evaluations, confirm secure configurations, verify the origin and authenticity of components, and establish controlled repositories. Maintain an approved list of trusted components, designate essential components, implement stringent update processes, and build binaries directly from source code when necessary to prevent the use of unauthorized or insecure components.
Define measurable security metrics, such as KPIs, KRIs, and vulnerability severity scores, to assess risk management. Embed these criteria into SDLC workflows, like Agile's "Definition of Done" or CI/CD checks. Review artifacts to ensure compliance with benchmarks and track outcomes (approvals, rejections, exceptions) in a centralized system. Analyze collected data to refine security practices and adapt criteria to evolving risks, ensuring a secure and consistent development process.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-04-01-01-01 | Define security metrics and criteria | Establish clear metrics, such as KPIs, KRIs, and vulnerability severity scores, to measure the effectiveness of software security risk management. Ensure these metrics provide meaningful insights into security risk management. | Preparation | Security Teams, Risk Management Teams |
| SSS-01-04-01-01-02 | Integrate security criteria into development workflows | Add software security criteria to existing workflows, such as the Definition of Done in agile SDLC methodologies. Ensure that security checks are an integral part of the software development lifecycle and align with project goals. | Development | Development Teams, Security Teams |
| SSS-01-04-01-01-03 | validate artifacts against security criteria | Review artifacts generated during the software development workflow (e.g., code reviews, test results, documentation) to verify they meet established security criteria. Record approvals, rejections, and exceptions as part of the workflow tracking system. | Deployment | Quality Assurance Teams, Security Analysts |
| SSS-01-04-01-01-04 | Analyze security data for continuous improvement | Collect and analyze data from security checks, including successes, failures, and exception requests, to evaluate the overall effectiveness of security measures. Use the insights gained to refine the SDLC and enhance future security practices. | Post-deployment | Security Teams, Risk Management Teams |
| SSS-01-04-01-01-05 | Track and report security check outcomes | Maintain a record of security check outcomes, including approvals, rejections, and exception requests, within the tracking system. Use these records for reporting, auditing, and identifying areas for improvement in the software development process. | Post-deployment | Security Teams, Compliance Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1422) NIST Secure Software Development Framework (PO.4.1) SSDF (PO.4.1: Define criteria for software security checks and track throughout the SDLC. - Example) |
Conduct comprehensive vendor assessments to ensure that external suppliers involved in software development align with the organization’s security standards and risk appetite. Use structured approaches, such as checklists, interviews, or maturity evaluations, to evaluate suppliers’ security practices, processes, and software assurance programs. Assess their ability to address potential risks and ensure alignment with your organization’s access control and security requirements across the SDLC. If gaps in security capabilities are identified, collaborate with suppliers to address these issues and evaluate their plans for improvement. Make security expectations explicit, provide clear guidelines, and regularly reassess supplier performance to account for changing risk factors. This ensures that external suppliers do not introduce vulnerabilities into the development process and supports a secure and consistent SDLC.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-01-04-01-02-01 | Establish vendor evaluation criteria | Define evaluation criteria based on organizational security needs and risk appetite. Use a basic checklist or conduct interviews to review their typical practices and deliveries. | Preparation | Procurement team, Security team, Project leads |
| SSS-01-04-01-02-02 | Conduct vendor assessments | Perform assessments using interviews or questionnaires with different roles in the organization. Evaluate their practices, deliveries, and software assurance processes. Include a maturity evaluation where needed. | Development | Security team, Vendor managers |
| SSS-01-04-01-02-03 | Document and prioritize identified risks | If suppliers have weak competences in software security, record vendor security risks, categorize them based on severity, and determine which risks require immediate mitigation or long-term monitoring. | Development | Security team, Procurement team, Vendors |
| SSS-01-04-01-02-04 | Communicate expectations and monitor alignment | Clearly communicate expectations to suppliers and monitor their compliance. Reassess periodically for critical or evolving projects. | Post-deployment | Procurement team, Security team, Project leads |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1422) NIST Secure Software Development Framework (PO.4.1) OWASP SAMM: Software Assurance Maturity Model (D-SR-1-B) |