|
PO.1.1
|
G.1.1 Organizational security requirements
|
|
PO.3.3
|
G.1.3 Produce attestation
|
|
PS.3.2
|
G.1.4 Deliver provenance
|
|
PS.3.2
|
G.1.5 Deliver SBOM
|
|
PO.2.3
|
G.2.1 Upper management support
|
|
PO.4.1
|
G.2.2 Secure SDLC checks
|
|
PO.2.1
|
G.2.3 Roles and responsibilities
|
|
PW.7.1
|
G.2.4 Security code review policy
|
|
PO.1.3
|
G.3.1 Security-related contract terms
|
|
PO.2.2
|
G.4.1 Role-based training
|
|
RV.1.1
|
G.4.3 Gather attack trends
|
|
PW.1.2
|
G.5.2 Track security risks and decisions
|
|
PO.4.2
|
G.5.4 Data-informed product decisions
|
|
PO.1.2
|
P.1.1 Product security requirements
|
|
PS.2.1
|
P.1.2 Software release integrity
|
|
PW.1.1
PW.2.1
|
P.2.1 Security design review
|
|
PW.5.1
|
P.2.2 Secure coding
|
|
PW.9.1
PW.9.2
|
P.2.3 Secure-by-default implementation
|
|
PW.1.3
|
P.2.4 Standard security features
|
|
PW.4.2
|
P.2.5 In-house components
|
|
PW.4.1
|
P.3.4 Vetted third-party component and container repositories
|
|
PW.7.2
|
P.4.1 Security code review
|
|
PO.3.1
PO.3.2
|
P.4.2 Automated security scanning tools
|
|
RV.1.2
|
P.4.3 Automated vulnerability detection
|
|
PW.8.1
PW.8.2
|
P.4.4 Executable security testing
|
|
PW.4.4
|
P.4.5 Regular third-party compliance
|
|
RV.1.1
|
P.5.2 Dependency update
|
|
PS.3.1
|
E.1.1 Safely store release artifacts
|
|
PS.1.1
|
E.1.2 Version control
|
|
PW.6.1
|
E.2.3 Defensive compilation and build
|
|
PW.6.2
|
E.2.4 CI/CD hosting and automation
|
|
PW.6.2
|
E.2.8 Hardened and isolated builds
|
|
PO.5.1
PO.5.2
|
E.3.2 Environmental separation
|
|
RV.2.1
|
D.1.1 Vulnerability analysis
|
|
RV.2.2
|
D.1.2 Risk-based vulnerability remediation
|
|
RV.1.3
|
D.1.3 Vulnerability disclosure
|
|
RV.3.3
|
D.1.4 Vulnerability eradication
|
|
RV.3.1
RV.3.2
RV.3.4
|
D.1.6 Root cause analysis
|