P-SSCRM Documentation

BSIMM Building Security In Maturity Model Version 15 (BSIMM)

Source Document: https://www.blackduck.com/content/dam/black-duck/en-us/reports/bsimm-report.pdf

BSIMM - P-SSCRM mapping

CP1.1 CP1.2 CP1.3 SE3.9 SR1.1 SR2.2 SR3.3 G.1.1 Organizational security requirements
SE3.9 SM1.4 SR1.3 G.1.3 Produce attestation
SE3.6 G.1.5 Deliver SBOM
SM1.3 CP2.5 G.2.1 Upper management support
SM1.4 SM3.3 G.2.2 Secure SDLC checks
SM2.3 SM2.7 CR1.7 G.2.3 Roles and responsibilities
CR1.4 CR1.5 G.2.4 Security code review policy
CMVM2.3 SM3.1 G.2.5 Asset inventory
CP2.4 CP3.2 SR2.5 SR3.2 G.3.1 Security-related contract terms
T1.1 T1.7 T1.8 T2.5 T2.8 T2.9 T3.1 T3.2 G.4.1 Role-based training
T1.1 G.4.2 Contingency training
AM1.5 CMVM1.2 G.4.3 Gather attack trends
AA1.4 G.5.1 Criticality analysis
SFD3.1 SM3.5 G.5.2 Track security risks and decisions
SM2.1 SM3.3 G.5.3 Security metrics
SM1.4 SM1.7 G.5.4 Data-informed product decisions
CP1.1 CP1.2 CP1.3 CP2.1 SE2.5 SFD1.1 SFD2.1 SDF3.2 SR1.3 P.1.1 Product security requirements
SE2.4 P.1.2 Software release integrity
AA1.1 AA1.2 AA2.1 AA3.1 P.2.1 Security design review
SR3.3 CR1.4 CR3.5 P.2.2 Secure coding
SE1.4 P.2.3 Secure-by-default implementation
SFD1.1 SFD3.2 P.2.4 Standard security features
SFD2.1 P.2.5 In-house components
SR1.5 P.3.1 Component and container choice
SE2.4 P.3.3 Require signed commits
SFD2.1 SFD3.2 SR2.4 SR2.7 P.3.4 Vetted third-party component and container repositories
CR1.2 CR1.4 CR2.8 CR2.6 CR2.7 CR3.4 CR3.5 P.4.1 Security code review
CR1.4 SE.3.9 ST1.4 ST2.5 P.4.2 Automated security scanning tools
CMVM3.1 P.4.3 Automated vulnerability detection
ST1.1 ST1.3 ST1.4 ST2.4 ST2.5 ST2.6 ST3.3 ST3.4 ST3.5 ST3.6 PT1.1 PT1.2 PT1.3 PT2.3 PT3.1 CMVM3.4 P.4.4 Executable security testing
SE2.4 SE3.2 E.2.4 CI/CD hosting and automation
SE2.7 E.2.5 Secured orchestration platform
SE3.10 E.3.2 Environmental separation
CMVM1.3 D.1.1 Vulnerability analysis
CMVM1.1 CMVM1.4 CMVM2.4 D.1.3 Vulnerability disclosure
CR3.3, CMVM3.1 D.1.4 Vulnerability eradication
CP3.3, CMVM3.2 D.1.6 Root cause analysis