PW.2.1—Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.
PW.2
>Control Description
Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.
>Practice: PW.2
Review the Software Design to Verify Compliance with Security Requirements and Risk Information
Help ensure that the software will meet the security requirements and satisfactorily address the identified risk information.
>Notional Implementation Examples
- 1.Review the software design to confirm that it addresses applicable security requirements.
- 2.Review the risk models created during software design to determine if they appear to adequately identify the risks.
- 3.Review the software design to confirm that it satisfactorily addresses the risks identified by the risk models.
- 4.Have the software’s designer correct failures to meet the requirements.
- 5.Change the design and/or the risk response strategy if the security requirements cannot be met.
- 6.Record the findings of design reviews to serve as artifacts (e.g., in the software specification, in the issue tracking system, in the threat model).
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
TV.3
BSIMM
AA1.1
AA1.2
AA1.3
AA2.1
AA3.1
EO 14028
4e(iv)
4e(v)
4e(ix)
IEC 62443
SM-2
SR-2
SR-5
SD-3
SD-4
SI-2
ISO 27034
7.3.3
OWASP ASVS
1.1.5
OWASP SAMM
DR1-A
DR1-B
PCI SSLC
3.2
SP 800-181 (NICE)
T0328
K0038
K0039
K0070
K0080
K0119
K0152
K0153
+10 more
Ask AI
Configure your API key to use AI features.