PW.2.1—Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

PW.2

>Control Description

Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

>Practice: PW.2

Review the Software Design to Verify Compliance with Security Requirements and Risk Information

Help ensure that the software will meet the security requirements and satisfactorily address the identified risk information.

>Notional Implementation Examples

1.Review the software design to confirm that it addresses applicable security requirements.
2.Review the risk models created during software design to determine if they appear to adequately identify the risks.
3.Review the software design to confirm that it satisfactorily addresses the risks identified by the risk models.
4.Have the software’s designer correct failures to meet the requirements.
5.Change the design and/or the risk response strategy if the security requirements cannot be met.
6.Record the findings of design reviews to serve as artifacts (e.g., in the software specification, in the issue tracking system, in the threat model).

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

TV.3

BSIMM

AA1.1

AA1.2

AA1.3

AA2.1

AA3.1

EO 14028

4e(iv)

4e(v)

4e(ix)

IEC 62443

SM-2

SR-2

SR-5

SD-3

SD-4

SI-2

ISO 27034

7.3.3

OWASP ASVS

1.1.5

OWASP SAMM

DR1-A

DR1-B

PCI SSLC

3.2

SP 800-181 (NICE)

T0328

K0038

K0039

K0070

K0080

K0119

K0152

K0153

+10 more

Ask AI

Configure your API key to use AI features.