| 8-22-1 Ensure compliance with Secure Coding Standard that covers, at a minimum, the topics in TOR-2013-00742 Secure Software Assurance Coding Guidance. |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure Secure Coding Standard, which may be an appendix to the Software Development Plan, is maintained and current. Ensure contractor and program personnel implement SCS and SDP criteria. Ensure these documents are reviewed by the Government.
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742, Secure Software Assurance Coding Guidance
|
| 8-22-2 Ensure the developed application code is reviewed to the Secure Development Standard with automated tools or manual methods |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure program unique developed code is reviewed against the Secure Development Standard as part of the development process both using secure code static analysis tools and manually when static tools are insufficient. The criteria for both automated and manual review is contained in the Secure Development Standard.
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742, Secure Software Assurance Coding Guidance
|
| 8-22-3 Ensure compliance with program policies and practices for handling Free and Open Source Software and third party software, which includes Off-the-Shelf Software (OSS) component life-cycle management. |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure program policies and practices are maintained and followed. Ensure that license and security issues are addressed and appropriate controls are in place. Ensure that FOSS libraries contained and/or used by FOSS and third party software are configuration managed and that FOSS vulnerabilities are tracked and mitigated.
|
NA
|
NA
|
FS-ISAC Third Party software Security Working Group White Paper, "Appropriate Software Security Control Types for Third Party Service and Product Providers"
|
| 8-22-4 Ensure compliance with the Secure Development Standard is required and that deviations result in Discrepancy/Deficiency Reports as with other software defects |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure deviations from the Secure Development Standard are treated as DRs and tracked until corrected as with any other software defect.
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742, Secure Software Assurance Coding Guidance
|
| 8-22-5 Ensure the developed application software, and any open source software in use, is compliant with the Design & Development Category I, Category II and Category III requirements imposed on the Designer covering Access Control, Authentication, Best Practice, Canonical Rep, Cryptography, Data, Documentation, Input Validation, Mobile Code, and Race Conditions as defined in the DISA Application Security & Development Security Technical Implementation Guide (STIG) |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure program unique developed code is reviewed against the Secure Development Standard as part of the development process both using secure code static analysis tools such as Coverity or Fortify and manually when static tools are insufficient. The criteria for both automated and manual review is contained in the Secure Development Standard. Special attention should be paid to the Category I, Category II and Category III areas addressed by the DISA Application Security & Development STIG
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742, Secure Software Assurance Coding Guidance; DISA Application Security & Development Security Technical Implementation Guide (STIG)
|
| 8-22-6 Ensure compliance with program policies and processes for tracking and addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system. |
Phase B |
Phase C |
Phase D1 |
Phase D2 |
Phase D3 |
|
Ensure program policies and processes are maintained and followed for addressing security patches and notifications, including assessment for applicability to the system and off-line testing for impacts before deployment to the development or operational system since most of the systems are in some form of operational use with continuing development/upgrade).
|
NA
|
NA
|
Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53; System and Services Acquisition (SA) family of controls; TOR-2013-00742, Secure Software Assurance Coding Guidance; DISA Application Security & Development Security Technical Implementation Guide (STIG)
|