|
2
|
G.1.1 Organizational security requirements
|
|
1f
|
G.1.3 Produce attestation
|
|
3
|
G.1.4 Deliver provenance
|
|
3
|
G.1.5 Deliver SBOM
|
|
4
|
G.2.2 Secure SDLC checks
|
|
2
4
|
G.2.4 Security code review policy
|
|
3
|
G.3.1 Security-related contract terms
|
|
2
|
G.4.3 Gather attack trends
|
|
4
|
G.5.4 Data-informed product decisions
|
|
4
|
P.2.1 Security design review
|
|
4
|
P.2.2 Secure coding
|
|
4
|
P.2.3 Secure-by-default implementation
|
|
2
3
|
P.3.4 Vetted third-party component and container repositories
|
|
4
|
P.4.1 Security code review
|
|
1f, 2, 3
|
P.4.2 Automated security scanning tools
|
|
3
4
|
P.4.3 Automated vulnerability detection
|
|
2
4
|
P.4.4 Executable security testing
|
|
2, 3, 4
|
P.4.5 Regular third-party compliance
|
|
3
|
E.2.3 Defensive compilation and build
|
|
4
|
E.2.4 CI/CD hosting and automation
|
|
1a
1b
1c
1d
1e
1f
2
3
|
E.3.2 Environmental separation
|