PW.4.2—Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.
PW.4
>Control Description
Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.
>Practice: PW.4
Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality
Lower the costs of software development, expedite software development, and decrease the likelihood of introducing additional security vulnerabilities into the software by reusing software modules and services that have already had their security posture checked. This is particularly important for software that implements security functionality, such as cryptographic modules and protocols.
>Notional Implementation Examples
- 1.Follow organization-established security practices for secure software development when creating and maintaining the components.
- 2.Determine secure configurations for software components, and make these available (e.g., as configuration-as-code) so developers can readily use the configurations.
- 3.Maintain one or more software repositories for these components.
- 4.Designate which components must be included in software to be developed.
- 5.Implement processes to update deployed software components to newer versions, and maintain older versions of software components until all transitions from those versions have been completed successfully.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSIMM
SFD1.1
SFD2.1
SFD3.2
SR1.1
EO 14028
4e(ix)
IDA SOAR
19
OWASP ASVS
1.1.6
SAFECode TPC
MAINTAIN
SP 800-53
SP 800-161
SA-8(3)
SP 800-181 (NICE)
SP-DEV-001
Ask AI
Configure your API key to use AI features.