PS.3: Archive and Protect Each Software Release¶
Preserve software releases in order to help identify, analyze, and eliminate vulnerabilities discovered in the software after release.
PS.3.1¶
Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.
Implementation Examples
- Example 1: Store the release files, images, and other associated data in repositories following the organization's established policy. Allow read-only access to them by necessary personnel and no access by anyone else.\nExample 2: Store and protect release integrity verification information and provenance data, such as by keeping it in a separate location from the release files or by signing the data.
References
- BSAFSS: PD.1-5, DE.1-2, IA.2
- CNCFSSCP: Securing Artefacts—Automation, Controlled Environments, Encryption; Securing Deployments—Verification
- IDASoar: 25
- IEC62443: SM-6, SM-7
- NISTCSF: PR.IP-4
- OWASPSCVS: 1, 3.18, 3.19, 6.3
- PCISSLC: 5.2, 6.1, 6.2
- SCSIC: Vendor Software Delivery Integrity Controls
- SP80053: CM-08, CM-12, CP-06, CP-09, MP-02, MP-03, MP-04, SA-10, SA-15, SA-15(11), SC-08, SC-28, SI-12, SR-04
- SP800161: MP-01, SC-28, SC-36, SR-04
PS.3.2¶
Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).
Implementation Examples
- Example 1: Make the provenance data available to software acquirers in accordance with the organization's policies, preferably using standards-based formats.\nExample 2: Make the provenance data available to the organization's operations and response teams to aid them in mitigating software vulnerabilities.\nExample 3: Protect the integrity of provenance data, and provide a way for recipients to verify provenance data integrity.\nExample 4: Update the provenance data every time any of the software's components are updated.