>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PO.5.1Separate and protect each environment involved in software development.

PO.5

>Control Description

Separate and protect each environment involved in software development.

>Practice: PO.5

Implement and Maintain Secure Environments for Software Development

Ensure that all components of the environments for software development are strongly protected from internal and external threats to prevent compromises of the environments or the software being developed or maintained within them. Examples of environments for software development include development, build, test, and distribution environments.

>Notional Implementation Examples

  1. 1.Use multi-factor, risk-based authentication and conditional access for each environment.
  2. 2.Use network segmentation and access controls to separate the environments from each other and from production environments, and to separate components from each other within each non-production environment, in order to reduce attack surfaces and attackers’ lateral movement and privilege/access escalation.
  3. 3.Enforce authentication and tightly restrict connections entering and exiting each software development environment, including minimizing access to the internet to only what is necessary.
  4. 4.Minimize direct human access to toolchain systems, such as build services. Continuously monitor and audit all access attempts and all use of privileged access.
  5. 5.Minimize the use of production-environment software and services from non-production environments.
  6. 6.Regularly log, monitor, and audit trust relationships for authorization and access between the environments and between the components within each environment.
  7. 7.Continuously log and monitor operations and alerts across all components of the development environment to detect, respond, and recover from attempted and actual cyber incidents.
  8. 8.Configure security controls and other tools involved in separating and protecting the environments to generate artifacts for their activities.
  9. 9.Continuously monitor all software deployed in each environment for new vulnerabilities, and respond to vulnerabilities appropriately following a risk-based approach.
  10. 10.Configure and implement measures to secure the environments’ hosting infrastructures following a zero trust architecture.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

DE.1
IA.1
IA.2

CNCF SSCP

Securing Build Pipelines—Controlled Environments

EO 14028

4e(i)(A)
4e(i)(B)
4e(i)(C)
4e(i)(D)
4e(i)(F)
4e(ii)
4e(iii)
4e(v)
+2 more

IEC 62443

SM-7

NIST CSF

PR.AC-5
PR.DS-7

SAFECode Agile

Tasks Requiring the Help of Security Experts 11

SAFECode SIC

Vendor Software Delivery Integrity Controls

SP 800-53

SA-3(1)
SA-8
SA-15

SP 800-161

SA-3
SA-8
SA-15

SP 800-181 (NICE)

OM-NET-001
SP-SYS-001
T0019
T0023
T0144
T0160
T0262
T0438
+20 more

Ask AI

Configure your API key to use AI features.