PO.3.3—Configure tools to generate artifacts of their support of secure software development practices as defined by the organization.
PO.3
>Control Description
Configure tools to generate artifacts of their support of secure software development practices as defined by the organization.
>Practice: PO.3
Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
>Notional Implementation Examples
- 1.Use existing tooling (e.g., workflow tracking, issue tracking, value stream mapping) to create an audit trail of the secure development-related actions that are performed for continuous improvement purposes.
- 2.Determine how often the collected information should be audited, and implement the necessary processes.
- 3.Establish and enforce security and retention policies for artifact data.
- 4.Assign responsibility for creating any needed artifacts that tools cannot generate.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
PD.1-5
BSIMM
SM1.4
SM3.4
SR1.3
CNCF SSCP
Securing Build Pipelines—Verification
Automation
Controlled Environments
Securing Artefacts—Verification
EO 14028
4e(i)(F)
4e(ii)
4e(v)
4e(ix)
IEC 62443
SM-12
SI-2
Microsoft SDL
8
OWASP SAMM
PC3-B
OWASP SCVS
3.13
3.14
PCI SSLC
2.5
SAFECode Agile
Tasks Requiring the Help of Security Experts 9
SAFECode SIC
Vendor Software Delivery Integrity Controls
SP 800-53
SP 800-161
SA-15
SP 800-181 (NICE)
K0013
T0024
Ask AI
Configure your API key to use AI features.