Skip to content

PO.4: Define and Use Criteria for Software Security Checks

Help ensure that the software resulting from the SDLC meets the organization’s expectations by defining and using criteria for checking the software’s security during development.

PO.4.1

Define criteria for software security checks and track throughout the SDLC.

Implementation Examples
  • Example 1: Ensure that the criteria adequately indicate how effectively security risk is being managed.
  • Example 2: Define key performance indicators (KPIs), key risk indicators (KRIs), vulnerability severity scores, and other measures for software security.
  • Example 3: Add software security criteria to existing checks (e.g., the Definition of Done in agile SDLC methodologies).
  • Example 4: Review the artifacts generated as part of the software development workflow system to determine if they meet the criteria.
  • Example 5: Record security check approvals, rejections, and exception requests as part of the workflow and tracking system.
  • Example 6: Analyze collected data in the context of the security successes and failures of each development project, and use the results to improve the SDLC.
References

PO.4.2

Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria.

Implementation Examples
  • Example 1: Use the toolchain to automatically gather information that informs security decision-making.
  • Example 2: Deploy additional tools if needed to support the generation and collection of information supporting the criteria.
  • Example 3: Automate decision-making processes utilizing the criteria, and periodically review these processes.
  • Example 4: Only allow authorized personnel to access the gathered information, and prevent any alteration or deletion of the information.
References