Does your organization implement secure software development practices to minimize vulnerabilities in released products?
Explanation
Secure development practices are the subject: whether you apply secure coding standards, security testing, and vulnerability management across the software lifecycle to reduce flaws in released products. Effective secure development practices include threat modeling, code reviews, static/dynamic application security testing, and pre-release security validation.
Evidence could include documentation of your secure software development lifecycle (SDLC) process, results from automated security scanning tools, vulnerability management reports showing remediation of identified issues before release, or metrics demonstrating a reduction in security defects over time.
Implementation Example
Secure all software produced by the organization, with minimal vulnerabilities in their releases
ID: PR.PS-06.258
Context
- Function
- PR: PROTECT
- Category
- PR.PS: Platform Security
- Sub-Category
- Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle
Related questions
- Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
- Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
- Does your organization have a process to monitor software for deviations from approved baselines?
- Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
- Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
- Does your organization have a process to identify and replace end-of-life software and services with supported versions?

