This article provides additional information on how you can meet the requirement for the CAF control - A4.b Secure Software Development and Support
All whether developed internally or sourced externally must be built and supported following recognised secure development practices.
Third party software
-
Suppliers should follow an established Secure Software Development Framework (such as NIST SSDF or Microsoft SDL) and provide assurance of this where appropriate.
-
Their security posture should be assessed (through documentation, SOC/ISO reports, vulnerability processes, and statements on software provenance and component use) to ensure that any third-party or open-source dependencies are monitored for vulnerabilities throughout the software’s lifecycle.
Software development
- Development practices follow a structured SDLC that includes development team training, security reviews, version control, change approval, and secure coding standards.
- Environments—including development, test, staging and production—are controlled, access-restricted, and monitored to ensure they are proportionate to the risk of targeted attacks.
Software maintenance
- Updates should be validated and software patched
- Code should be held in trusted repositories
- Code-signing should be enforced where supported
- Software sources and versions should be tracked through asset and configuration management processes.
- Controls related to software approval, updates and monitoring are tracked and evidenced within the Adoptech platform.
Software risks
Threat intelligence and emerging attack techniques are considered when reviewing software-related risks. Where relevant, threat modelling or vulnerability assessments are performed to identify potential weaknesses in software we develop or depend upon.