P-SSCRM Documentation

E.2.3 Defensive compilation and build

Control Details

Objective

Reduce vulnerabilities during compilation and build.

Definition

Determine which compiler, interpreter, AI training, and build tool features should be used to reduce vulnerabilities, such as producing compiler warnings for vulnerable code that are treated as errors; application of obfuscation techniques; approved configurations being used; verification of sources and manifests of dependencies; and approved tools configurations are available as configuration-as-code.

Assessment Questions

  1. How do you use compiler, interpreter, and build tool features to detect vulnerabilities?
  2. Describe your system for preventing use of a vulnerable and/or malicious component in the build, e.g. a Deny List.

Reference sources

  1. EO 4e(iv)
  2. SSDF PW.6.1
  3. SSDF-AI PW.6.1
  4. SLSA Verifying build platforms
  5. OWASP-SCVS 3
  6. S2C2F REB-1
  7. Self-attestation 3
  8. SAMM I-SB-1-A