PO.3.1—Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other.
PO.3
>Control Description
Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other.
>Practice: PO.3
Implement Supporting Toolchains
Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.
>Notional Implementation Examples
- 1.Define categories of toolchains, and specify the mandatory tools or tool types to be used for each category.
- 2.Identify security tools to integrate into the developer toolchain.
- 3.Define what information is to be passed between tools and what data formats are to be used.
- 4.Evaluate tools’ signing capabilities to create immutable records/logs for auditability within the toolchain.
- 5.Use automated technology for toolchain management and orchestration.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSIMM
CR1.4
ST1.4
ST2.5
SE2.7
CNCF SSCP
Securing Materials—Verification
Securing Build Pipelines—Verification
Automation
Secure Authentication/Access
Securing Artefacts—Verification
Securing Deployments—Verification
EO 14028
4e(iii)
4e(ix)
Microsoft SDL
8
OWASP SAMM
IR2-B
ST2-B
SAFECode Agile
Tasks Requiring the Help of Security Experts 9
SAFECode SIC
Vendor Software Delivery Integrity Controls
SP 800-53
SP 800-161
SA-15
SP 800-181 (NICE)
K0013
K0178
Ask AI
Configure your API key to use AI features.