Control Objectives:
6.1 The integrity of all software code, including third-party components, is maintained throughout the entire software lifecycle.
Test Requirements:
6.1 The assessor shall examine evidence, interview personnel, and observe tools and processes to confirm:
- A mature process, mechanism, and/or tool(s) exist to protect the integrity of the software code, including third-party components.
- The processes, mechanisms, and/or tools are reasonable and appropriate for protecting the integrity of software code.
- Processes, mechanisms, or the use of tools results in the timely detection of any unauthorized attempts to tamper with or access software code.
- Unauthorized attempts to tamper with or access software code are investigated in a timely manner.
Guidance:
Effective software-code control practices help ensure that all changes to code are authorized and performed only by those with a legitimate reason to change the code. Examples of these practices include code check-in and check-out procedures with strict access controls, and a comparison—for example, using a checksum—immediately before updating code to confirm that the last approved version has not been changed. It is important that controls cover all software code, third-party components and libraries, configuration files, etc. that are controlled by the vendor.
The integrity and confidentiality of these assets need to be maintained, as they often contain sensitive data such as intellectual property⎯for example, business logic—logic of security functions, configuration of cryptographic functions (e.g., white-box cryptography), etc.
