A Security Practices Evaluation Framework

Document Technical Stack

Document the components used to build, test, deploy, and operate the software. Keep components up to date on security patches.

Description

The technical stack consists of all software components required to operate the project’s software in production, as well as the software components used to build, test, and deploy the software. Documentation of the technical stack is necessary for threat modeling, for defining a repeatable development process, and for maintenance of the software’s environment when components receive security patches.

Practice Implementation Questions

  1. Does the project maintain a list of the technologies it uses?
  2. Are all languages, libraries, tools, and infrastructure components used during development, testing, and production on the list?
  3. Are security features developed by the project/organization included on the list?
  4. Is there a security vetting process required before a component is added to the list?
  5. Is there a security vetting process required before a component is used by the project?
  6. Does the list enumerate banned components?
  7. Does the project review the list, and vulnerabilities of components on the list? On a schedule?

Keywords

stack, operating system, database, application server, runtime environment, language, library, component, patch, framework, sandbox, environment, network, tool, compiler, service, version

BSIMM R2.3 Create standards for technology stacks.