>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PS.1.1Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

PS.1

>Control Description

Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

>Practice: PS.1

Protect All Forms of Code from Unauthorized Access and Tampering

Help prevent unauthorized changes to code, both inadvertent and intentional, which could circumvent or negate the intended security characteristics of the software. For code that is not intended to be publicly accessible, this helps prevent theft of the software and may make it more difficult or time-consuming for attackers to find vulnerabilities in the software.

>Notional Implementation Examples

  1. 1.Store all source code and configuration-as-code in a code repository, and restrict access to it based on the nature of the code. For example, open-source code intended for public access may need its integrity and availability protected; other code may also need its confidentiality protected.
  2. 2.Use version control features of the repository to track all changes made to the code with accountability to the individual account.
  3. 3.Use commit signing for code repositories.
  4. 4.Have the code owner review and approve all changes made to the code by others.
  5. 5.Use code signing to help protect the integrity of executables.
  6. 6.Use cryptography (e.g., cryptographic hashes) to help protect file integrity.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

IA.1
IA.2
SM.4-1
DE.1-2

BSIMM

SE2.4

CNCF SSCP

Securing the Source Code—Verification
Automation
Controlled Environments
Secure Authentication
Securing Materials—Automation

EO 14028

4e(iii)
4e(iv)
4e(ix)

IDA SOAR

Fact Sheet 25

IEC 62443

SM-6
SM-7
SM-8

NIST CSF

PR.AC-4
PR.DS-6
PR.IP-3

OWASP ASVS

1.10
10.3.2

OWASP MASVS

7.1

OWASP SAMM

OE3-B

PCI SSLC

5.1
6.1

SAFECode SIC

Vendor Software Delivery Integrity Controls
Vendor Software Development Integrity Controls

SP 800-53

SA-10

SP 800-161

SA-8
SA-10

Ask AI

Configure your API key to use AI features.