P.1.1 Product security requirements

Control Details

Objective

Identify and document security requirements for organization-developed software, including AI models

Definition

Identify and document security requirements for organization-developed software, including AI models, including risk-reducing software architecture and design choices, security patterns, and translating compliance constraints to requirements. Examples include using memory-safe languages and secure frameworks, isolation and sandboxing component strategies, code modularity, security features, secure-by-design components, application containers, and product features that aid in secure deployment, operation, and maintenance. Containers can be used as a strategy for tighter coupling of an application and its dependencies, immutability, and some isolation benefits. Maintain these requirements over time.

Assessment Questions

1. How are risk-reducing security architecture and design requirements for products considered and developed?
2. Which of the following strategies are considered: the use of memory-safe languages, secure frameworks, isolation, acceptance testing, and sandboxing?
3. How are completion and adherence tracked?

Reference sources

1. EO 4e(iv)
2. SSDF PO.1.2
3. SSDF-AI PO.1.2
4. BSIMM CP1.1 CP1.2 CP1.3 CP2.1 SE2.5 SFD1.1 SFD2.1 SDF3.2 SR1.3
5. 800-161 SA-8 SA-17
6. SAMM D-SR-2-A D-SA-2-B
7. OSPS OSPS-SA-01