P.2.5 In-house components

Control Details

Objective

Maintain components built in-house.

Definition

Well-secured in-house components and scripts are built following a secure SDLC process when third-party components cannot meet development needs. Similar to the processes for third-party components, in-house components should be kept in a repository, maintained, and regularly scanned for vulnerabilities, with new versions deployed through the organization as needed.

Assessment Questions

1. What processes are used to scan in-house components built using SDLC processes for vulnerabilities, and how is the process similar or different to what is done for third-party components?
2. What causes a need for a new version?
3. How are in-house components monitored to ensure they are regularly maintained?

Reference sources

1. EO 4e(ix)
2. SSDF PW.4.2
3. BSIMM SFD2.1
4. CNCF-SSC M-A Scan software for vulnerabilities
5. SAMM D-SA-2-B D-SA-2-A