P-SSCRM Documentation

P.4.2 Automated security scanning tools

Control Details

Objective

Choose tools to efficiently discover previously-undetected vulnerabilities

Definition

Specify which tools or tool types must or should be included in each toolchain to reduce human effort in discovering vulnerabilities and mitigating identified security risks and to improve the accuracy, reproducibility, usability, and comprehensiveness of security practices in the SDLC. Tools commonly include SAST, DAST, IAST, SCA, and secret detection tools. Specify how the toolchain components will be integrated, such as through the CI/CD pipeline. Follow recommended practices for tool selection/scanning, deploying, operating, and maintaining tools and toolchains.

Assessment Questions

  1. What security tools are in your toolchain?
  2. SAST?
  3. DAST?
  4. IAST?
  5. How often is the scanning done for third-party components?
  6. Do you use a tool to detect secrets in code?
  7. What happens with the reported vulnerabilities?
  8. How do you scan your tools for vulnerabilities?
  9. How do you scan acquired AI models for security issues?
  10. How do you scan released AI models for security issues?

Reference sources

  1. EO 4e(i)(F) 4e(ii) 4e(iii) 4e(v) 4e(vi)
  2. SSDF PO.3.1 PO.3.2
  3. SSDF-AI PO.3.1 PO.3.2
  4. BSIMM CR1.4 SE.3.9 ST1.4 ST2.5
  5. 800-161 SA-15
  6. OWASP-SCVS 5.1 5.4
  7. OSSF-Scorecard sast fuzzing
  8. Self-attestation 1f, 2, 3
  9. SAMM I-SB-2-A I-SD-2-A I-SB-3-A
  10. OSPS OSPS-QA-03 OSPS-QA-06 OSPS-VM-05 OSPS-VM-06