>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PO.3.2Follow recommended security practices to deploy, operate, and maintain tools and toolchains.

PO.3

>Control Description

Follow recommended security practices to deploy, operate, and maintain tools and toolchains.

>Practice: PO.3

Implement Supporting Toolchains

Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.

>Notional Implementation Examples

  1. 1.Evaluate, select, and acquire tools, and assess the security of each tool.
  2. 2.Integrate tools with other tools and existing software development processes and workflows.
  3. 3.Use code-based configuration for toolchains (e.g., pipelines-as-code, toolchains-as-code).
  4. 4.Implement the technologies and processes needed for reproducible builds.
  5. 5.Update, upgrade, or replace tools as needed to address tool vulnerabilities or add new tool capabilities.
  6. 6.Continuously monitor tools and tool logs for potential operational and security issues, including policy violations and anomalous behavior.
  7. 7.Regularly verify the integrity and check the provenance of each tool to identify potential problems.
  8. 8.See PW.6 regarding compiler, interpreter, and build tools.
  9. 9.See PO.5 regarding implementing and maintaining secure environments.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

DE.2

BSIMM

SR1.1
SR1.3
SR3.4

CNCF SSCP

Securing Build Pipelines—Verification
Automation
Controlled Environments
Secure Authentication/Access
Securing Artefacts—Verification
Automation
Controlled Environments
Encryption
+2 more

EO 14028

4e(i)(F)
4e(ii)
4e(iii)
4e(v)
4e(vi)
4e(ix)

IEC 62443

SM-7

NIST IR 8397

2.2

OWASP ASVS

1.14.3
1.14.4
14.1
14.2

OWASP MASVS

7.9

OWASP SCVS

3
5

SAFECode Agile

Tasks Requiring the Help of Security Experts 9

SAFECode FPSSD

Use Current Compiler and Toolchain Versions and Secure Compiler Options

SAFECode SIC

Vendor Software Delivery Integrity Controls

SP 800-53

SA-15

SP 800-161

SA-15

SP 800-181 (NICE)

K0013
K0178

Ask AI

Configure your API key to use AI features.