Software developed in-house for deployment on higher priority assets is developed using secure software development practices
Context and Guidance: Secure software development practices are codified in several frameworks such as, the NIST Secure Software Development Framework (SSDF), Building Security In Maturity Model (BSIMM), or the Open Web Application Security Project (OWASP). Selection of secure development practices from established frameworks should include consideration of the organisation's operational needs, risk appetite, and the threat environment. Security should be a consideration in each phase of the software development lifecycle, including requirements definition, design, development, testing, and maintenance. Organisations should also consider the risks inherent in the use of less formal software development processes, such as no-code development platforms. For example, open-source content management systems typically have templates and other plugins that are created by third parties and could introduce risk to the organisation.
Related Practices • Input From: Implementing ASSET-1c provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-4a, ARCHITECTURE-4d, ARCHITECTURE-4f, ARCHITECTURE-4h, ARCHITECTURE-5h.