|
PO.1.1
PO.1.2
|
G.1.1 Organizational security requirements
|
|
PO.3.3
|
G.1.3 Produce attestation
|
|
PS.3.2
|
G.1.4 Deliver provenance
|
|
PS.3.2
|
G.1.5 Deliver SBOM
|
|
PO.2.3
|
G.2.1 Upper management support
|
|
PO.4.1
|
G.2.2 Secure SDLC checks
|
|
PO.2.1
|
G.2.3 Roles and responsibilities
|
|
PW.7.1
|
G.2.4 Security code review policy
|
|
PO.1.3
PW.3.1
PW.3.2
PW.3.3
|
G.3.1 Security-related contract terms
|
|
PO.2.2
|
G.4.1 Role-based training
|
|
RV.1.1
|
G.4.3 Gather attack trends
|
|
PO.1.2
|
P.1.1 Product security requirements
|
|
PS.2.1
|
P.1.2 Software release integrity
|
|
PW.1.1
|
P.2.1 Security design review
|
|
PW.5.1
|
P.2.2 Secure coding
|
|
PW.9.1
|
P.2.3 Secure-by-default implementation
|
|
PW.4.1
|
P.3.4 Vetted third-party component and container repositories
|
|
PW.7.2
|
P.4.1 Security code review
|
|
PO.3.1
PO.3.2
|
P.4.2 Automated security scanning tools
|
|
RV.1.2
|
P.4.3 Automated vulnerability detection
|
|
PW.8.1
PW.8.2
|
P.4.4 Executable security testing
|
|
PW.4.4
|
P.4.5 Regular third-party compliance
|
|
PS.3.1
|
E.1.1 Safely store release artifacts
|
|
PS.1.1
PS.1.2
PS.1.3
|
E.1.2 Version control
|
|
PW.6.1
|
E.2.3 Defensive compilation and build
|
|
PW.6.2
|
E.2.4 CI/CD hosting and automation
|
|
PO.5.1
|
E.3.2 Environmental separation
|
|
RV.2.1
|
D.1.1 Vulnerability analysis
|
|
RV.2.2
|
D.1.2 Risk-based vulnerability remediation
|
|
RV.1.3
|
D.1.3 Vulnerability disclosure
|
|
RV.3.3
|
D.1.4 Vulnerability eradication
|
|
RV.3.1
|
D.1.6 Root cause analysis
|
|
PO.5.3
|
D.2.1 System monitoring
|