PO.6: Define and Implement a Continuous Process Improvement Plan¶
Identify and execute improvements to cybersecurity processes and procedures throughout the SDLC across all SSDF practices.
PO.6.1¶
Update and improve software development environments in response to new threats and as new tools are included in the development process.
Implementation Examples
- Example 1: Add new scanning tools or update the configurations of existing tools to check for malicious content in artifacts received from suppliers. Actions could be executed as part of a response to an incident or based on threat reports.\nExample 2: Improve logging and audit capabilities in development environments by working with internal security teams to identify the best format, events to capture, and level of granularity that enable quick reconstruction of security-related actions.\nExample 3: Incorporate and adapt zero trust capabilities as they become available in underlying IT and development infrastructures.
PO.6.2¶
Identify new processes, tools, and techniques that can help avoid software errors (see PW.7, RV.3.3).
Implementation Examples
- Example 1: Use new languages or features in existing languages that eliminate classes of vulnerabilities.\nExample 2: Evaluate and adopt tools that expand testing coverage in response to known vulnerabilities.\nExample 3: Improve logging capabilities in software by working with customers and security logging vendors or tools to identify the best format, events to capture, and level of granularity that enable quick reconstruction of security-related actions.
PO.6.3¶
Improve vulnerability response processes, and periodically review prior decisions (see RV.2.2).
Implementation Examples
- Example 1: Periodically review decisions, particularly if a decision to not provide a software update is made in favor of some other mitigation, and the implementation of measures to identify customer impact over time.