|
G-PC-1-A
G-PC-2-B
|
G.1.1 Organizational security requirements
|
|
I-SB-3-A
|
G.1.3 Produce attestation
|
|
I-SB-2-B
|
G.1.4 Deliver provenance
|
|
I-SB-2-B
|
G.1.5 Deliver SBOM
|
|
G-SM-2-A
|
G.2.1 Upper management support
|
|
G-SM-2-B
G-PC-1-A
G-PC-1-B
|
G.2.2 Secure SDLC checks
|
|
G-EG-2-B
|
G.2.3 Roles and responsibilities
|
|
G-PC-1-A
|
G.2.4 Security code review policy
|
|
D-SR-3-B
|
G.3.1 Security-related contract terms
|
|
G-EG-2-A
|
G.4.1 Role-based training
|
|
I-SB-2-B
V-ST-2-A
O-EM-3-B
|
G.4.3 Gather attack trends
|
|
G-SM-3-B
|
G.5.4 Data-informed product decisions
|
|
D-SR-2-A
D-SA-2-B
|
P.1.1 Product security requirements
|
|
I-SD-3-A
|
P.1.2 Software release integrity
|
|
D-TA-2-A
D-TA-1-B
V-AA-1-B
V-AA-2-A
V-RT-2-A
V-RT-2-B
|
P.2.1 Security design review
|
|
D-SA-1-A
|
P.2.2 Secure coding
|
|
D-SA-1-A
V-AA-1-A
I-SD-1-A
O-EM-2-A
|
P.2.3 Secure-by-default implementation
|
|
D-SA-2-A
|
P.2.4 Standard security features
|
|
D-SA-2-B
D-SA-2-A
|
P.2.5 In-house components
|
|
I-SB-3-B
|
P.3.4 Vetted third-party component and container repositories
|
|
V-ST-3-B
V-ST-3-A
|
P.4.1 Security code review
|
|
I-SB-2-A
I-SD-2-A
I-SB-3-A
|
P.4.2 Automated security scanning tools
|
|
V-ST-3-B
V-ST-2-A
|
P.4.3 Automated vulnerability detection
|
|
G-PC-1-A
V-RT-2-A
V-RT-2-B
V-ST-3-A
V-ST-3-B
|
P.4.4 Executable security testing
|
|
I-SB-3-B
D-SR-2-B
|
P.4.5 Regular third-party compliance
|
|
I-SB-1-A
|
E.1.1 Safely store release artifacts
|
|
I-SB-1-A
|
E.1.2 Version control
|
|
I-SB-1-A
|
E.2.3 Defensive compilation and build
|
|
I-SB-1-A
|
E.2.4 CI/CD hosting and automation
|
|
O-EM-2-A
O-OM-2-A
I-SD-1-B
O-IM-2-A
O-EM-2-B
I-SB-2-A
G-PC-1-A
|
E.3.2 Environmental separation
|
|
I-DM-2-A
|
D.1.1 Vulnerability analysis
|
|
I-DM-2-A
|
D.1.3 Vulnerability disclosure
|
|
I-DM-3-B
|
D.1.4 Vulnerability eradication
|
|
I-DM-2-A
G-SM-2-B
I-DM-3-B
|
D.1.6 Root cause analysis
|