Does your organization implement controls to protect all components of internally developed software from tampering and unauthorized access throughout the software development lifecycle?
Explanation
Software integrity is what's under review here, specifically whether you protect every component of internally developed software from tampering and unauthorized access across the development lifecycle. Effective controls might include code signing, access restrictions to repositories, secure build environments, integrity verification mechanisms, and change management processes.
Evidence could include documentation of your secure software development lifecycle (SDLC) process, access control lists for code repositories, code signing certificates and procedures, integrity verification reports, and change management logs showing approval workflows for code modifications.
Implementation Example
Protect all components of organization-developed software from tampering and unauthorized access
ID: PR.PS-06.257
Context
- Function
- PR: PROTECT
- Category
- PR.PS: Platform Security
- Sub-Category
- Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
Related questions
- Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
- Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
- Does your organization have a process to monitor software for deviations from approved baselines?
- Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
- Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
- Does your organization have a process to identify and replace end-of-life software and services with supported versions?

