>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PW.4.4Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.

PW.4

>Control Description

Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.

>Practice: PW.4

Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality

Lower the costs of software development, expedite software development, and decrease the likelihood of introducing additional security vulnerabilities into the software by reusing software modules and services that have already had their security posture checked. This is particularly important for software that implements security functionality, such as cryptographic modules and protocols.

>Notional Implementation Examples

  1. 1.Regularly check whether there are publicly known vulnerabilities in the software modules and services that vendors have not yet fixed.
  2. 2.Build into the toolchain automatic detection of known vulnerabilities in software components.
  3. 3.Use existing results from commercial services for vetting the software modules and services.
  4. 4.Ensure that each software component is still actively maintained and has not reached end of life; this should include new vulnerabilities found in the software being remediated.
  5. 5.Determine a plan of action for each software component that is no longer being maintained or will not be available in the near future.
  6. 6.Confirm the integrity of software components through digital signatures or other mechanisms.
  7. 7.Review, analyze, and/or test code. See PW.7 and PW.8.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

SC.3-1
SM.2-1
SM.2-2
SM.2-3
TV.2
TV.3

BSIMM

CP3.2
SR2.4
SR3.1
SR3.2
SE2.4
SE3.6

CNCF SSCP

Securing Materials—Verification
Automation

EO 14028

4e(iii)
4e(iv)
4e(vi)
4e(ix)
4e(x)

IDA SOAR

21

IEC 62443

SI-1
SM-9
SM-10
DM-1

NIST IR 8397

2.11

Microsoft SDL

7

NIST CSF

ID.SC-4
PR.DS-6

NIST Labels

2.2.2.2

OWASP ASVS

10
14.2

OWASP MASVS

7.5

OWASP SAMM

TA3-A
SR3-B

OWASP SCVS

4
5
6

PCI SSLC

3.2
3.4
4.1

SAFECode Agile

Tasks Requiring the Help of Security Experts 8

SAFECode FPSSD

Manage Security Risk Inherent in the Use of Third-Party Components

SAFECode SIC

Vendor Sourcing Integrity Controls
Peer Reviews and Security Testing

SAFECode TPC

MAINTAIN
ASSESS

SP 800-53

SA-9
SR-3
SR-4
SR-4(3)
SR-4(4)

SP 800-160

3.1.2
3.3.8

SP 800-161

SA-4
SA-8
SA-9
SA-9(3)
SR-3
SR-4
SR-4(3)
SR-4(4)

SP 800-181 (NICE)

SP-DEV-002
K0153
K0266
S0298

Ask AI

Configure your API key to use AI features.