>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PW.1.1Use forms of risk modeling – such as threat modeling, attack modeling, or attack surface mapping – to help assess the security risk for the software.

PW.1

>Control Description

Use forms of risk modeling – such as threat modeling, attack modeling, or attack surface mapping – to help assess the security risk for the software.

>Practice: PW.1

Design Software to Meet Security Requirements and Mitigate Security Risks

Identify and evaluate the security requirements for the software; determine what security risks the software is likely to face during operation and how the software’s design and architecture should mitigate those risks; and justify any cases where risk-based analysis indicates that security requirements should be relaxed or waived. Addressing security requirements and risks during software design (secure by design) is key for improving software security and also helps improve development efficiency.

>Notional Implementation Examples

  1. 1.Train the development team (security champions, in particular) or collaborate with a risk modeling expert to create models and analyze how to use a risk-based approach to communicate the risks and determine how to address them, including implementing mitigations.
  2. 2.Perform more rigorous assessments for high-risk areas, such as protecting sensitive data and safeguarding identification, authentication, and access control, including credential management.
  3. 3.Review vulnerability reports and statistics for previous software to inform the security risk assessment.
  4. 4.Use data classification methods to identify and characterize each type of data that the software will interact with.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

SC.1

BSIMM

AM1.2
AM1.3
AM1.5
AM2.1
AM2.2
AM2.5
AM2.6
AM2.7
+5 more

EO 14028

4e(ix)

IDA SOAR

1

IEC 62443

SM-4
SR-1
SR-2
SD-1

NIST IR 8397

2.1

ISO 27034

7.3.3

Microsoft SDL

4

NIST CSF

ID.RA

OWASP ASVS

1.1.2
1.2
1.4
1.6
1.8
1.9
1.11
2
+8 more

OWASP MASVS

1.6
1.8
2
3
4
5
6

OWASP SAMM

TA1-A
TA1-B
TA3-B
DR1-A

PCI SSLC

3.2
3.3

SAFECode Agile

Tasks Requiring the Help of Security Experts 3

SAFECode FPSSD

Threat Modeling

SAFECode TTM

Entire guide

SP 800-53

SA-8
SA-11(2)
SA-11(6)
SA-15(5)

SP 800-160

3.3.4
3.4.5

SP 800-161

SA-8
SA-11(2)
SA-11(6)
SA-15(5)

SP 800-181 (NICE)

T0038
T0062
K0005
K0009
K0038
K0039
K0070
K0080
+25 more

Ask AI

Configure your API key to use AI features.