PW.4: Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality

Lower the costs of software development, expedite software development, and decrease the likelihood of introducing additional security vulnerabilities into the software by reusing software modules and services that have already had their security posture checked. This is particularly important for software that implements security functionality, such as cryptographic modules and protocols.

PW.4.1

Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, open-source, and other third-party developers for use by the organization’s software.

Implementation Examples

• Example 1: Review and evaluate third-party software components in the context of their expected use. If a component is to be used in a substantially different way in the future, perform the review and evaluation again with that new context in mind.
• Example 2: Determine secure configurations for software components, and make these available (e.g., as configuration-as-code) so developers can readily use the configurations.
• Example 3: Obtain provenance information (e.g., SBOM, source composition analysis, binary software composition analysis) for each software component, and analyze that information to better assess the risk that the component may introduce.
• Example 4: Establish one or more software repositories to host sanctioned and vetted open-source components.
• Example 5: Maintain a list of organization-approved commercial software components and component versions along with their provenance data.
• Example 6: Designate which components must be included in software to be developed.
• Example 7: Implement processes to update deployed software components to newer versions, and retain older versions of software components until all transitions from those versions have been completed successfully.
• Example 8: If the integrity or provenance of acquired binaries cannot be confirmed, build binaries from source code after verifying the source code’s integrity and provenance.

References

• BSAFSS: SM.2
• BSIMM: SFD2.1, SFD3.2, SR2.4, SR3.1, SE3.6
• CNCFSSCP: Securing Materials—Verification
• EO14028: 4e(iii), 4e(vi), 4e(ix), 4e(x)
• IDASOAR: 19
• IEC62443: SM-9, SM-10
• MSSDL: 6
• NISTCSF: ID.SC-2
• OWASPASVS: 1.1.6
• OWASPSAMM: SA1-A
• OWASPSCVS: 4
• SCSIC: Vendor Sourcing Integrity Controls
• SCTPC: MAINTAIN
• SP80053: SA-4, SA-5, SA-8(3), SA-10(6), SR-3, SR-4
• SP800161: SA-4, SA-5, SA-8(3), SA-10(6), SR-3, SR-4
• SP800181: K0039

PW.4.2

Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.

Implementation Examples

• Example 1: Follow organization-established security practices for secure software development when creating and maintaining the components.
• Example 2: Determine secure configurations for software components, and make these available (e.g., as configuration-as-code) so developers can readily use the configurations.
• Example 3: Maintain one or more software repositories for these components.
• Example 4: Designate which components must be included in software to be developed.
• Example 5: Implement processes to update deployed software components to newer versions, and maintain older versions of software components until all transitions from those versions have been completed successfully.

References

• BSIMM: SFD1.1, SFD2.1, SFD3.2, SR1.1
• EO14028: 4e(ix)
• IDASOAR: 19
• OWASPASVS: 1.1.6
• SCTPC: MAINTAIN
• SP80053: SA-8(3)
• SP800161: SA-8(3)
• SP800181: SP-DEV-001

PW.4.4

Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.

Implementation Examples

• Example 1: Regularly check whether there are publicly known vulnerabilities in the software modules and services that vendors have not yet fixed.
• Example 2: Build into the toolchain automatic detection of known vulnerabilities in software components.
• Example 3: Use existing results from commercial services for vetting the software modules and services.
• Example 4: Ensure that each software component is still actively maintained and has not reached end of life; this should include new vulnerabilities found in the software being remediated.
• Example 5: Determine a plan of action for each software component that is no longer being maintained or will not be available in the near future.
• Example 6: Confirm the integrity of software components through digital signatures or other mechanisms.
• Example 7: Review, analyze, and/or test code. See PW.7 and PW.8.

References

• BSAFSS: SC.3-1, SM.2-1, SM.2-2, SM.2-3, TV.2, TV.3
• BSIMM: CP3.2, SR2.4, SR3.1, SR3.2, SE2.4, SE3.6
• CNCFSSCP: Securing Materials—Verification, Automation
• EO14028: 4e(iii), 4e(iv), 4e(vi), 4e(ix), 4e(x)
• IDASOAR: 21
• IEC62443: SI-1, SM-9, SM-10, DM-1
• IR8397: 2.11
• MSSDL: 7
• NISTCSF: ID.SC-4, PR.DS-6
• NISTLABEL: 2.2.2.2
• OWASPASVS: 10, 14.2
• OWASPMASVS: 7.5
• OWASPSAMM: TA3-A, SR3-B
• OWASPSCVS: 4, 5, 6
• PCISSLC: 3.2, 3.4, 4.1
• SCAGILE: Tasks Requiring the Help of Security Experts 8
• SCFPSSD: Manage Security Risk Inherent in the Use of Third-Party Components
• SCSIC: Vendor Sourcing Integrity Controls, Peer Reviews and Security Testing
• SCTPC: MAINTAIN, ASSESS
• SP80053: SA-9, SR-3, SR-4, SR-4(3), SR-4(4)
• SP800160: 3.1.2, 3.3.8
• SP800161: SA-4, SA-8, SA-9, SA-9(3), SR-3, SR-4, SR-4(3), SR-4(4)
• SP800181: SP-DEV-002; K0153, K0266; S0298