>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PW.1.2Track and maintain the software’s security requirements, risks, and design decisions.

PW.1

>Control Description

Track and maintain the software’s security requirements, risks, and design decisions.

>Practice: PW.1

Design Software to Meet Security Requirements and Mitigate Security Risks

Identify and evaluate the security requirements for the software; determine what security risks the software is likely to face during operation and how the software’s design and architecture should mitigate those risks; and justify any cases where risk-based analysis indicates that security requirements should be relaxed or waived. Addressing security requirements and risks during software design (secure by design) is key for improving software security and also helps improve development efficiency.

>Notional Implementation Examples

  1. 1.Record the response to each risk, including how mitigations are to be achieved and what the rationales are for any approved exceptions to the security requirements. Add any mitigations to the software’s security requirements.
  2. 2.Maintain records of design decisions, risk responses, and approved exceptions that can be used for auditing and maintenance purposes throughout the rest of the software life cycle.
  3. 3.Periodically re-evaluate all approved exceptions to the security requirements, and implement changes as needed.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

SC.1-1
PD.1-1

BSIMM

SFD3.1
SFD3.3
AA2.2
AA3.2

EO 14028

4e(v)
4e(ix)

IEC 62443

SD-1

ISO 27034

7.3.3

Microsoft SDL

4

NIST Labels

2.2.2.2

OWASP ASVS

1.1.3
1.1.4

OWASP MASVS

1.3
1.6

OWASP SAMM

DR1-B

PCI SSLC

3.2
3.3

SP 800-53

SA-8
SA-10
SA-17

SP 800-161

SA-8
SA-17

SP 800-181 (NICE)

T0256
K0005
K0038
K0039
K0147
K0149
K0160
K0161
+13 more

Ask AI

Configure your API key to use AI features.