Application security controls, mapped across frameworks.

EO 14028, Sec. 4 — Software Supply Chain Security

Selected requirements for enhancing software supply chain security:

• (A)Using administratively separate build environments.
• (D)Documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software.
• (F)(ii)Generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i) of this section.
• (F)(iii)Employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code.
• (F)(ix)Attesting to conformity with secure software development practices.
• (F)(x)Ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.

PCI DSS v4

Selected requirements for bespoke and custom software development:

• 6.2.2Software development personnel working on bespoke and custom software are trained at least once every 12 months on software security relevant to their job function and development languages, including secure software design and secure coding techniques.
• 6.2.3Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities. Code reviews ensure code is developed according to secure coding guidelines and look for both existing and emerging software vulnerabilities.
• 6.2.4Software engineering techniques are defined and in use to prevent or mitigate common software attacks (injection, XSS/CSRF, business logic abuse, access control bypass, cryptographic weakness, and high-risk vulnerabilities).
• 6.3.1Security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including CERT alerts.
• 6.3.2An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software, is maintained to facilitate vulnerability and patch management.
• 6.5.6Test data and test accounts are removed from system components before the system goes into production.

CIS v8 — Application Software Security

• 16.1Establish and Maintain a Secure Application Development Process.
• 16.2Establish and Maintain a Process to Accept and Address Software Vulnerabilities.
• 16.7Use Standard Hardening Configuration Templates for Application Infrastructure.
• 16.9Train Developers in Application Security Concepts and Secure Coding.
• 16.10Apply Secure Design Principles in Application Architectures.
• 16.11Leverage Vetted Modules or Services for Application Security Components.

CMMC — Selected Controls

• 3.4.1Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
• 3.13.2Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
• 3.13.13Control and monitor the use of mobile code.