PO.4.1—Define criteria for software security checks and track throughout the SDLC.
PO.4
>Control Description
Define criteria for software security checks and track throughout the SDLC.
>Practice: PO.4
Define and Use Criteria for Software Security Checks
Help ensure that the software resulting from the SDLC meets the organization’s expectations by defining and using criteria for checking the software’s security during development.
>Notional Implementation Examples
- 1.Ensure that the criteria adequately indicate how effectively security risk is being managed.
- 2.Define key performance indicators (KPIs), key risk indicators (KRIs), vulnerability severity scores, and other measures for software security.
- 3.Add software security criteria to existing checks (e.g., the Definition of Done in agile SDLC methodologies).
- 4.Review the artifacts generated as part of the software development workflow system to determine if they meet the criteria.
- 5.Record security check approvals, rejections, and exception requests as part of the workflow and tracking system.
- 6.Analyze collected data in the context of the security successes and failures of each development project, and use the results to improve the SDLC.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
Ask AI
Configure your API key to use AI features.