Skip to content

PW.6: Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security

Decrease the number of security vulnerabilities in the software and reduce costs by eliminating vulnerabilities before testing occurs.

PW.6.1

Use compiler, interpreter, and build tools that offer features to improve executable security.

Implementation Examples
  • Example 1: Use up-to-date versions of compiler, interpreter, and build tools.\nExample 2: Follow change management processes when deploying or updating compiler, interpreter, and build tools, and audit all unexpected changes to tools.\nExample 3: Regularly validate the authenticity and integrity of compiler, interpreter, and build tools. See PO.3.
References
  • BSAFSS: DE.2-1
  • BSIMM: SE2.4
  • CNCFSSCP: Securing Build Pipelines—Verification, Automation
  • IEC62443: SI-2
  • MSSDL: 8
  • SCAGILE: Operational Security Task 3
  • SCFPSSD: Use Current Compiler and Toolchain Versions and Secure Compiler Options
  • SCSIC: Vendor Software Development Integrity Controls
  • SP80053: CM-09, SA-15

PW.6.2

Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations.

Implementation Examples
  • Example 1: Enable compiler features that produce warnings for poorly secured code during the compilation process.\nExample 2: Implement the "clean build" concept, where all compiler warnings are treated as errors and eliminated except those determined to be false positives or irrelevant.\nExample 3: Perform all builds in a dedicated, highly controlled build environment.\nExample 4: Enable compiler features that randomize or obfuscate execution characteristics, such as memory location usage, that would otherwise be predictable and thus potentially exploitable.\nExample 5: Test to ensure that the features are working as expected and are not inadvertently causing any operational issues or other problems.\nExample 6: Continuously verify that the approved configurations are being used.\nExample 7: Make the approved tool configurations available as configuration-as-code so developers can readily use them.
References