P-SSCRM Documentation

G.2.4 Security code review policy

Control Details

Objective

Guidelines on which code should undergo a security-focused manual or automated review are communicated.

Definition

The policies for whether security-focused code review (a person looks directly at the code to find issues) and security-focused code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be conducted based upon the characteristics/criticality of the software and its stage of development. Policies are established for code and AI models developed in-house and for third-party code and AI models.

Assessment Questions

  1. What kind of guidelines are set in place for which code and models should be manually or automatically reviewed from a security perspective?
  2. How are these guidelines communicated and enforced?

Reference sources

  1. EO 4e(iv)
  2. SSDF PW.7.1
  3. SSDF-AI PW.7.1
  4. BSIMM CR1.4 CR1.5
  5. 800-161 SA-11
  6. Self-attestation 2 4
  7. SAMM G-PC-1-A
  8. OSPS OSPS-DO-06 OSPS-GV-03 OSPS-QA-07