P.2.4 Standard security features

Control Details

Objective

Reduce introducing new vulnerabilities by reusing standardized and proven security features.

Definition

Build support for standardized rather than proprietary security features, such as using existing log management, identity management, access control, or vulnerability management systems. These reused components are more likely to have their security posture already checked.

Assessment Questions

1. Please tell me about your philosophy of whether it is better to use available security features or to 'roll your own,' for example, log management, identity management, access control, and vulnerability management?
2. What factors determine whether you use in-house or standard features?

Reference sources

1. EO 4e(ix)
2. SSDF PW.1.3
3. BSIMM SFD1.1 SFD3.2
4. SAMM D-SA-2-A