https://deploy-preview-3176--ornate-narwhal-088216.netlify.app/software-security/secure-software-development/Recent content in Secure Software Recommendations onHugo -- gohugo.ioen-USWed, 10 May 2023 08:49:15 +0000https://deploy-preview-3176--ornate-narwhal-088216.netlify.app/software-security/secure-software-development/ssd-attestation-form/Wed, 10 May 2023 15:21:01 +0200https://deploy-preview-3176--ornate-narwhal-088216.netlify.app/software-security/secure-software-development/ssd-attestation-form/Attestation and Signature On behalf of the above-specified company, I attest that [software producer] presently makes consistent use of the following practices, drawn from the secure software development framework (SSDF), in developing the software identified in Section I: The software is developed and built in secure environments. Those environments are secured by the following actions, at a minimum: Separating and protecting each environment involved in developing and building Software; Regularly logging, monitoring, and auditing trust relationships used for authorization and access: to any software development and build environments; and among components within each environment; Enforcing multi-factor authentication and conditional access across the environments relevant to developing and building software in a manner that minimizes security risk; Taking consistent and reasonable steps to document as well as minimize use or inclusion of software products that create undue risk within the environments used to develop and build software; Encrypting sensitive data, such as credentials, to the extent practicable and based on risk; Implementing defensive cyber security practices, including continuous monitoring of operations and alerts and, as necessary, responding to suspected and confirmed cyber incidents; The software producer has made a good-faith effort to maintain trusted source code supply chains by: Employing automated tools or comparable processes; and Establishing a process that includes reasonable steps to address the security of third-party components and manage related vulnerabilities; The software producer employs automated tools or comparable processes in a good-faith effort to maintain trusted source code supply chains; The software producer maintains provenance data for internal and third-party code incorporated into the software; The software producer employs automated tools or comparable processes that check for security vulnerabilities.https://deploy-preview-3176--ornate-narwhal-088216.netlify.app/software-security/secure-software-development/ssdf/Wed, 10 May 2023 15:21:01 +0200https://deploy-preview-3176--ornate-narwhal-088216.netlify.app/software-security/secure-software-development/ssdf/SSDF Table Practices Tasks Notional Implementation Examples References Define Security Requirements for Software Development (PO.1): Ensure that security requirements for software development are known at all times so that they can be taken into account throughout the SDLC and duplication of effort can be minimized because the requirements information can be collected once and shared. This includes requirements from internal sources (e.g., the organization’s policies, business objectives, and risk management strategy) and external sources (e.https://deploy-preview-3176--ornate-narwhal-088216.netlify.app/software-security/secure-software-development/minimum-attestation-references/Wed, 10 May 2023 15:21:01 +0200https://deploy-preview-3176--ornate-narwhal-088216.netlify.app/software-security/secure-software-development/minimum-attestation-references/The minimum requirements within the Secure Software Attestation Form address requirements put forth in EO 14028 subsection (4)(e) and specific SSDF practices and tasks. For reference, please review the chart below. Attestation Requirements Related EO 14028 Subsection Related SSDF Practices and Tasks 1) The software was developed and built in secure environments. Those environments were secured by the following actions, at a minimum: 4e(i) [See rows below] a) Separating and protecting each environment involved in developing and building software; 4e(i)(A) PO.