Back

Specify appropriate tools for the system development project.


CONTROL ID
06830
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Separate the design and development environment from the production environment., CC ID: 06088

This Control has the following implementation support Control(s):
  • Implement security controls in development endpoints., CC ID: 16389


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Robust web application frameworks are used in the development of web applications. (Control: ISM-1239; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Robust web application frameworks are used in the development of web applications. (Control: ISM-1239; Revision: 4, Australian Government Information Security Manual, September 2023)
  • An APRA-regulated entity would typically implement roles, responsibilities and tools for managing the registration and deployment of source code to ensure that information security requirements are not compromised. (Attachment D 4., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution would normally implement roles, responsibilities and tools for managing the registration and deployment of source code to ensure that IT security requirements are not compromised. (Attachment D ¶ 5, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • No development and system tools on operational systems (except those required for operation), (5.2.2 Requirements (should) Bullet 1 Sub-Bullet 2, Information Security Assessment, Version 5.1)
  • Specify/approve secure compilers, tools, flags & options. (§ 4.1, Microsoft Simplified Implementation of the Security Development Lifecycle (SDL), 1.0)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Identifies the standards and tools used in the development process; (SA-15a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Evidence of the validation of software tools for their intended use should be maintained. (§ 5.2.5 ¶ 18, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Identifies the standards and tools used in the development process; (SA-15a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Identifies the standards and tools used in the development process; (SA-15a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., FedRAMP Security Controls High Baseline, Version 5)
  • Identifies the standards and tools used in the development process; (SA-15a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Identifies the standards and tools used in the development process; (SA-15a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other. (PO.3.1, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Implement Supporting Toolchains (PO.3): Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools m… (PO.3, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Use compiler, interpreter, and build tools that offer features to improve executable security. (PW.6.1, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations. (PW.6.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • The organization requires the developer of the information system, system component, or information system service to follow a documented development process that identifies the standards and tools used in the development process. (SA-15a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents the specific tool options and tool configurations used in the development process. (SA-15a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to follow a documented development process that identifies the standards and tools used in the development process. (SA-15a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to follow a documented development process that documents the specific tool options and tool configurations used in the development process. (SA-15a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Identifies the standards and tools used in the development process; (SA-15a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Documents the specific tool options and tool configurations used in the development process; and (SA-15a.3., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)