SecDevOps practices are used for application development.
Establish guidelines for when code review (manual inspection) and/or code analysis (automated or semi-automated) should be conducted, based on organizational policies and the development stage. Apply both methods as needed for both third-party and in-house code, enhancing code quality and security throughout development.
Establish a security assurance program that defines when and how to conduct code reviews (manual inspections) and code analysis (automated or semi-automated) in accordance with organizational policies and the software development life cycle (SDLC) stage: a) Perform a security risk evaluation early in the development process to determine the appropriate level and frequency of code review and code analysis activities. b) Define and maintain security requirements for both in-house and third-party software components. These requirements guide which combination of manual inspections and automated analysis tools to use at each phase of development and maintenance. c) Incorporate security requirements into the development and maintenance processes, ensuring that code reviews and code analyses are conducted at predefined checkpoints aligned with organizational standards and the current development stage. d) Require that each software review and audit includes an evaluation of security requirements, using manual and/or automated techniques as necessary to validate compliance and identify potential vulnerabilities. e) Integrate code analysis and review into configuration management and corrective action workflows. By doing so, changes to existing software are continuously evaluated to prevent security violations, and necessary adjustments are made promptly. f) Ensure both logical and physical security controls protect the environments where code is reviewed and analyzed, maintaining the integrity and confidentiality of software and data. g) Include security assurance activities, such as code inspection and automated scanning, throughout requirements, design, implementation, testing, release, and maintenance phases. These activities should be seamlessly integrated into CI/CD pipelines, applied consistently to all software components.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-03-01-01 | Identify commonly used tools and technologies | Review existing software projects to catalog frequently used technologies, frameworks, and tools. Focus on high-level components that are widely adopted within the organization and align with its functional and security requirements. | Preparation | Senior Developers |
| SSS-02-02-03-01-02 | Curate and share a recommended list | Collaborate with senior developers, architects, managers, and security auditors to create a list of recommended tools and technologies. Consider factors such as incident history, vulnerability response, usability, and organizational expertise when selecting components. | Development | Architects |
| SSS-02-02-03-01-03 | Communicate recommendations to teams | Distribute the curated list across the organization and promote it as the default choice for project teams. Use internal documentation platforms or communication channels to ensure accessibility and adoption. | Deployment | Development Managers |
| SSS-02-02-03-01-04 | Perform periodic reviews for security and relevance | Regularly evaluate the recommended technologies to ensure they remain secure, relevant, and aligned with organizational needs. Update the list based on changes in the threat landscape, new vulnerabilities, or evolving organizational requirements. | Post-deployment | Security Auditors |
| SSS-02-02-03-01-05 | Monitor adoption and gather feedback | Track the usage of recommended tools and technologies across projects. Solicit feedback from development teams to identify challenges, improvements, or additional tools to include in future iterations of the list. | Post-deployment | Development Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PW.7.1) CISA (2.3.4 Review or analyze humn-readable code- Recommended mitigations- 1.) |