|
4e(ix)
|
G.1.1 Organizational security requirements
|
|
4e(i)(F)
4e(ii)
4e(v)
|
G.1.3 Produce attestation
|
|
4e(vi)
4e(vii)
4e(x)
|
G.1.4 Deliver provenance
|
|
4e(vi)
4e(vii)
4e(x)
|
G.1.5 Deliver SBOM
|
|
4e(ix)
|
G.2.1 Upper management support
|
|
4e(iv)
4e(v)
|
G.2.2 Secure SDLC checks
|
|
4e(ix)
|
G.2.3 Roles and responsibilities
|
|
4e(iv)
|
G.2.4 Security code review policy
|
|
4e(vi)
|
G.3.1 Security-related contract terms
|
|
4e(vi)
|
G.4.1 Role-based training
|
|
4e(vi)
4e(vii)
|
G.4.3 Gather attack trends
|
|
4e(v)
|
G.5.2 Track security risks and decisions
|
|
4e(iv)
4e(v)
|
G.5.4 Data-informed product decisions
|
|
4e(iv)
|
P.1.1 Product security requirements
|
|
4e(iii)
|
P.1.2 Software release integrity
|
|
4e(iv)
4e(v)
4e(ix)
|
P.2.1 Security design review
|
|
4e(iv)
|
P.2.2 Secure coding
|
|
4e(iv)
|
P.2.3 Secure-by-default implementation
|
|
4e(ix)
|
P.2.4 Standard security features
|
|
4e(ix)
|
P.2.5 In-house components
|
|
4e(iii)
4e(vi)
4e(x)
|
P.3.4 Vetted third-party component and container repositories
|
|
4e(iv)
4e(v)
|
P.4.1 Security code review
|
|
4e(i)(F)
4e(ii)
4e(iii)
4e(v)
4e(vi)
|
P.4.2 Automated security scanning tools
|
|
4e(iv)
4e(vi)
4e(viii)
|
P.4.3 Automated vulnerability detection
|
|
4e(iv)
4e(v)
|
P.4.4 Executable security testing
|
|
4e(iii)
4e(iv)
4e(vi)
4e(x)
|
P.4.5 Regular third-party compliance
|
|
4e(iii)
4e(vi)
4e(x)
|
E.1.1 Safely store release artifacts
|
|
4e(i)C
4e(iii)
4e(iv)
|
E.1.2 Version control
|
|
4e(iv)
|
E.2.3 Defensive compilation and build
|
|
4e(iv)
|
E.2.4 CI/CD hosting and automation
|
|
4e(i)(A)
4e(i)(B)
4e(i)(C)
4e(i)(D)
4e(i)(E)
4e(i)(F)
4e(ii)
4e(iii)
4e(v)
4e(vi)
|
E.3.2 Environmental separation
|
|
4e(iv)
4e(viii)
|
D.1.1 Vulnerability analysis
|
|
4e(iv)
4e(v)
4e(viii)
|
D.1.2 Risk-based vulnerability remediation
|
|
4e(viii)
|
D.1.3 Vulnerability disclosure
|
|
4e(iv)
4e(viii)
|
D.1.4 Vulnerability eradication
|
|
4e(ix)
|
D.1.6 Root cause analysis
|
|
4e(vii)
|
D.2.1 System monitoring
|