Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Develop and maintain in-house software components that meet organizational security standards when third-party options are insufficient. Follow SDLC processes, secure configurations, and update protocols to address internal software development needs securely.
To enhance software security, organizations should maintain an accurate record of all application dependencies, referred to as a Bill of Materials (BOM). This includes both server-side and client-side dependencies. Records should include detailed information about each dependency, such as where it is used, its version, license, source, and maintenance status. Use tools and methods like package managers or IDEs to list dependencies. Regularly analyze these records to identify vulnerabilities in dependencies and take corrective actions, such as updating or replacing outdated or insecure components. This process ensures better visibility, traceability, and security for application components.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-09-01-01 | Create a bill of materials (BOM) | Identify and document all dependencies used by the application, including server-side and client-side components. Use tools like package managers, configuration files, or IDEs to generate a comprehensive BOM for the production environment. | Development | Development Teams |
| SSS-02-01-09-01-02 | Gather detailed dependency information | Collect detailed metadata for each dependency, including where it is used, its version, license type, source repository, and maintenance status. Ensure the records are complete and up-to-date for accurate analysis. | Development | DevOps Teams |
| SSS-02-01-09-01-03 | Analyze dependencies for vulnerabilities | Regularly review the BOM to identify dependencies with known vulnerabilities. Use tools like vulnerability scanners or CVE databases to discover potential risks and prioritize actions based on severity and impact. | Deployment | Security Teams |
| SSS-02-01-09-01-04 | Update or replace vulnerable dependencies | Address vulnerabilities by updating to secure versions of dependencies or replacing them with alternatives. Ensure compatibility and security before applying changes to the production environment. | Post-deployment | DevOps Teams |
| SSS-02-01-09-01-05 | Automate dependency management | Implement automated tools for tracking, analyzing, and managing dependencies. This includes setting up alerts for new vulnerabilities and integrating automated checks into the CI/CD pipeline to enforce the use of secure dependencies. | Post-deployment | Automation Engineers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PW.4.2) OWASP SAMM: Software Assurance Maturity Model (I-SB-1-B) |
Ensure that all in-house software producers follow a consistent build process to establish predictable and verifiable artifacts. This approach enables stakeholders, including verifiers, to form expectations about what constitutes a 'correct' build, thus enhancing trust in the development lifecycle. For verification purposes, producers may provide explicit metadata about the build process. This metadata should include information such as the artifact's source repository, build parameters, and security configurations. In cases where explicit metadata is not shared, verifiers may rely on implicit trust mechanisms, such as 'trust on first use,' to validate the artifact. When distributing artifacts via a package ecosystem that mandates explicit metadata in configuration files, producers must ensure these files are completed, accurate, and kept up to date. This practice not only ensures compliance with ecosystem requirements but also strengthens traceability and confidence in the integrity of internally developed software components.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-09-02-01 | Standardize the build process | Define and document a standardized build process that includes consistent build tools, parameters, and configurations for all artifacts. | Preparation | Build engineers, Development leads |
| SSS-02-01-09-02-02 | Generate and maintain build metadata | Produce metadata for every build, including details about the source repository, build parameters, and configurations. Ensure metadata is complete and up-to-date. | Development | Build engineers, Security team |
| SSS-02-01-09-02-03 | Enable metadata verification | Ensure the build metadata is accessible to verifiers. Use explicit metadata (e.g., configuration files) for ecosystems that require it, or trust-on-first-use (TOFU) when appropriate. | Deployment | Build engineers, DevOps team |
| SSS-02-01-09-02-04 | Integrate metadata updates into ci/cd | Automate the generation and updating of build metadata within the CI/CD pipeline to ensure consistency across all builds. | Deployment | DevOps team, Build engineer |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PW.4.2) SLSA Supply-chain Levels for Software Artifacts (Level 2,3. Producer-Follow a consistent build process) |