Reuse of Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice PW.4: Reuse of Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality. Requires an organization to lower the costs of software development, expedite software development, and decrease the likelihood of introducing additional security vulnerabilities into the software by reusing software modules and services that have already had their security posture checked. This is particularly important for software that implements security functionality, such as cryptographic modules and protocols.
Assessment Steps (3)
|
1
Security of Third-Party Software Components (SecurityofThird-PartySoftwareComponents)
Does the organization acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, open-source, and other third-party developers for use by the organization's software?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
Security of In-House Software Components (SecurityofIn-HouseSoftwareComponents)
Does the organization create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
3
Verification of Compliance for Third-Party Software Components (VerificationofComplianceforThird-PartySoftwareComponents)
Does the organization verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (3)
|
Security of Third-Party Software Components
The organization must acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, open-source, and other third-party developers for use by the organization's software.
Citation
SSDF
Task PW.4.1
|
|
Security of In-House Software Components
The organization must create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.
Citation
SSDF
Task PW.4.2
|
|
Verification of Compliance for Third-Party Software Components
The organization must verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.
Citation
SSDF
Task PW.4.4
|