PS.2: Provide a Mechanism for Verifying Software Release Integrity

Help software acquirers ensure that the software they acquire is legitimate and has not been tampered with.

PS.2.1

Make software integrity verification information available to software acquirers.

Implementation Examples

• Example 1: Post cryptographic hashes for release files on a well-secured website.
• Example 2: Use an established certificate authority for code signing so that consumers’ operating systems or other tools and services can confirm the validity of signatures before use.
• Example 3: Periodically review the code signing processes, including certificate renewal, rotation, revocation, and protection.

References

• BSAFSS: SM.4, SM.5, SM.6
• BSIMM: SE2.4
• CNCFSSCP: Securing Deployments—Verification
• EO14028: 4e(iii), 4e(ix), 4e(x)
• IEC62443: SM-6, SM-8, SUM-4
• NISTCSF: PR.DS-6
• NISTLABEL: 2.2.2.4
• OWASPSAMM: OE3-B
• OWASPSCVS: 4
• PCISSLC: 6.1, 6.2
• SCSIC: Vendor Software Delivery Integrity Controls
• SP80053: SA-8
• SP800161: SA-8
• SP800181: K0178