G.2.2 Secure SDLC checks

Control Details

Objective

Criteria throughout the SDLC are used to check the software's security during development.

Definition

Define criteria for a secure SDLC and associated software security checks that indicate how effectively software, including AI models, resulting from the SDLC meets the organization's expectations. These checks include key performance indicators (KPI), vulnerability severity scores, and security checks included in the 'definition of done' in an agile process and may be used for go/no-go decisions. The use of automated tools aids thoroughness, objectivity, and efficiency of these checks.

Assessment Questions

1. What kind of criteria for security checks has been established, such as for security testing results?
2. How can these checks indicate if security practices are being used and secure software is being developed?
3. How are these checks tracked through the SDLC?
4. Are the checks automated or manual?

Reference sources

1. EO 4e(iv) 4e(v)
2. SSDF PO.4.1
3. SSDF-AI PO.4.1
4. BSIMM SM1.4 SM3.3
5. 800-161 SA-15
6. Self-attestation 4
7. SAMM G-SM-2-B G-PC-1-A G-PC-1-B
8. OSPS OSPS-VM-04