Control Objectives:
2.4 Software security assurance processes are implemented and maintained throughout the entire software lifecycle.
Note: This control objective focuses on the overall management of security assurance processes and provides the foundation for specific assurance processes defined within this document
Test Requirements:
2.4.a The assessor shall examine vendor evidence and interview personnel to confirm the following:
- Software security assurance processes are defined, implemented and maintained.
- An inventory of software security assurance processes is maintained.
2.4.b For a sample of software security assurance processes, the assessor shall examine vendor evidence and interview personnel to confirm the following:
- Software security assurance processes clearly address the specific rules and goals within the software vendor’s software security policy.
- Software security assurance processes are aligned with the software vendor’s software security strategy.
- Software vendor personnel, including software development personnel, are assigned responsibility and accountability for the execution and performance of the security assurance process in accordance with Control Objective 1.2.
- The individuals or teams responsible for performing and maintaining each security assurance process are clearly aware of their responsibilities.
- The results or outcomes of each security assurance process are monitored in accordance with Control Objective 2.6.
Guidance:
Software security assurance processes are activities that are implemented to carry out the software vendor’s software security strategy and to facilitate secure software design, development, and maintenance. To ensure that security and compliance requirements are met, software security policy is satisfied, and the software vendor’s products and services are secure and resistant to attack, software vendors need to define such processes throughout all phases of the software lifecycle. These may include security “checkpoints,” which are distinct points within the software development process where software is checked to make sure security requirements are met. Examples of software security assurance processes and controls include software-design reviews, automated code reviews, security-specific functional testing, and change-management processes. For organizations that leverage Agile software development methodologies, security checkpoints may be incorporated into the “story” acceptance criteria or the criteria for determining when work is considered “done.”
Evidence to support this requirement might include documented policies and processes, security-control inventories, output from Governance Risk and Compliance (GRC) or other management tools, software-specific requirements documentation, or any other evidence that clearly and consistently identifies the software security assurance processes that have been implemented and illustrates that the security assurance processes are appropriate for the function they are intended to provide. Additionally, evidence to illustrate the software security assurance processes are implemented properly may include system or process outputs such as threat models, security test results, bug tracking data, audit log data, incident response, etc.
