@cyclonedx/cdxgen 10.4.3 → 10.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/README.md +11 -2
  2. package/analyzer.js +1 -0
  3. package/bin/cdxgen.js +29 -2
  4. package/bin/repl.js +39 -0
  5. package/binary.js +2 -0
  6. package/data/crypto-oid.json +32 -0
  7. package/data/lic-mapping.json +14 -4
  8. package/data/templates/README.md +3 -0
  9. package/data/templates/asvs-4.0.3.cdx.json +2943 -0
  10. package/data/templates/bsimm-v13.cdx.json +1008 -0
  11. package/data/templates/masvs-2.0.0.cdx.json +225 -0
  12. package/data/templates/nist-ssdf-1.1.cdx.json +828 -0
  13. package/data/templates/pcissc-secure-slc-1.1.cdx.json +1027 -0
  14. package/data/templates/scvs-1.0.0.cdx.json +813 -0
  15. package/data/templates/ssaf-DRAFT-2023-11.cdx.json +127 -0
  16. package/display.js +55 -25
  17. package/envcontext.js +2 -1
  18. package/evinser.js +15 -6
  19. package/index.js +206 -79
  20. package/package.json +6 -6
  21. package/postgen.js +63 -0
  22. package/types/analyzer.d.ts.map +1 -1
  23. package/types/binary.d.ts.map +1 -1
  24. package/types/display.d.ts +2 -2
  25. package/types/display.d.ts.map +1 -1
  26. package/types/envcontext.d.ts.map +1 -1
  27. package/types/evinser.d.ts.map +1 -1
  28. package/types/index.d.ts.map +1 -1
  29. package/types/postgen.d.ts +1 -0
  30. package/types/postgen.d.ts.map +1 -1
  31. package/types/utils.d.ts +22 -0
  32. package/types/utils.d.ts.map +1 -1
  33. package/utils.js +119 -5
  34. package/utils.test.js +2 -2
package/data/templates/pcissc-secure-slc-1.1.cdx.json ADDED
@@ -0,0 +1,1027 @@
1
+ {
2
+ "metadata": {
3
+ "licenses": []
4
+ },
5
+ "definitions": {
6
+ "standards": [
7
+ {
8
+ "bom-ref": "pcissc-sslc-1.1",
9
+ "name": "PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures",
10
+ "version": "1.1",
11
+ "description": "PCI Secure SLC provides a baseline of security requirements with corresponding assessment procedures and guidance to help software vendors design, develop, and maintain secure software throughout the software lifecycle.",
12
+ "owner": "PCI Security Standards Council",
13
+ "requirements": [
14
+ {
15
+ "bom-ref": "pcissc-sslc-1.1-1",
16
+ "identifier": "1",
17
+ "title": "Security Responsibilities and Resources",
18
+ "text": "The software vendor’s senior leadership team establishes formal responsibility and authority for the security of the software vendor’s products and services. The software vendor allocates resources to execute the strategy and ensure that personnel are appropriately skilled."
19
+ },
20
+ {
21
+ "bom-ref": "pcissc-sslc-1.1-1.1",
22
+ "identifier": "1.1",
23
+ "text": "Overall responsibility for the security of the software vendor’s products and services is assigned by the vendor’s senior leadership team.",
24
+ "parent": "pcissc-sslc-1.1-1",
25
+ "descriptions": [
26
+ "The formal assignment of responsibility by the software vendor’s senior leadership team ensures strategic-level visibility into and influence over the vendor’s software security practices. Senior leadership typically represents those individuals or teams with the responsibility and authority to make strategic business decisions for the software vendor organization. In many cases, senior leadership teams are comprised of members of the executive team such as the chief executive officer (CEO), chief financial officer (CFO), chief technology officer (CTO), chief information officer (CIO), chief risk officer (CRO), or similar roles, but that is not the case in all organizations. The distinct structure of the senior leadership team is ultimately determined by the software vendor.\n\nAssignment of overall responsibility for the vendor’s software security program should include the authority to enforce and execute the organization’s software security strategy. Without appropriate authority, those responsible for the security of the software vendor’s products and services cannot be reasonably held accountable for ensuring the organization’s security strategy is followed. Those responsible for the vendor’s software security should provide periodic updates on the state of the vendor’s software security program and the performance of its strategy to senior leadership. This allows senior leadership to ensure the strategy is being properly prioritized and resourced, and that changes required as a result of its performance are approved in a timely manner.\n\nEvidence to support this control objective might include job descriptions, organization charts, presentations, audio recordings, senior leadership meeting minutes, reports, e-mails, formal communications from senior leadership to the rest of the organization, or any other records that clearly reflect the formal assignment of responsibility and authority, and communications between senior leadership and those responsible for the vendor’s software security program regarding program performance."
27
+ ]
28
+ },
29
+ {
30
+ "bom-ref": "pcissc-sslc-1.1-1.1.1",
31
+ "identifier": "1.1.1",
32
+ "text": "Accountability for ensuring the security of the software vendor’s products and services is formally assigned to an individual or team by the software vendor’s senior leadership.",
33
+ "parent": "pcissc-sslc-1.1-1.1"
34
+ },
35
+ {
36
+ "bom-ref": "pcissc-sslc-1.1-1.1.2",
37
+ "identifier": "1.1.2",
38
+ "text": "Responsibilities include keeping senior leadership informed of security updates, issues, and other matters related to the security of the software vendor’s products and services.",
39
+ "parent": "pcissc-sslc-1.1-1.1"
40
+ },
41
+ {
42
+ "bom-ref": "pcissc-sslc-1.1-1.1.3",
43
+ "identifier": "1.1.3",
44
+ "text": "Updates are provided to senior leadership at least annually on the performance of and changes to the software vendor’s software security policy and strategy described in Objective 2.",
45
+ "parent": "pcissc-sslc-1.1-1.1"
46
+ },
47
+ {
48
+ "bom-ref": "pcissc-sslc-1.1-1.2",
49
+ "identifier": "1.2",
50
+ "text": "Software security responsibilities are assigned.",
51
+ "parent": "pcissc-sslc-1.1-1",
52
+ "descriptions": [
53
+ "Individuals (including third-party personnel) involved in the design, development, testing and maintenance of the software vendor’s products and services should be assigned responsibility and accountability for ensuring that software is designed and maintained in accordance with the software vendor’s security strategy and all applicable security requirements, including software-specific requirements. Responsibilities can be assigned to an individual, group, or role; however, individuals assigned to a particular group or role should clearly understand how those software security responsibilities affect their individual job functions, the organization’s security expectations, and the individual’s role in fulfilling those expectations. Individuals assigned software security responsibilities should be able to demonstrate an understanding of their responsibilities and accountability.\n\nEvidence to support this objective might include job descriptions, employee agreements, presentations, company communications, training materials, e-mails, intranet content, or any other documentation or records that clearly and consistently illustrate the assignment of security responsibilities, and the acknowledgement and understanding of those roles and responsibilities."
54
+ ]
55
+ },
56
+ {
57
+ "bom-ref": "pcissc-sslc-1.1-1.2.1",
58
+ "identifier": "1.2.1",
59
+ "text": "Software security responsibilities are clearly defined and assigned to appropriate individuals or teams, including software development personnel.",
60
+ "parent": "pcissc-sslc-1.1-1.2"
61
+ },
62
+ {
63
+ "bom-ref": "pcissc-sslc-1.1-1.2.2",
64
+ "identifier": "1.2.2",
65
+ "text": "Assignment of responsibilities for ensuring the security of the software vendor’s products and services covers the entire software lifecycle.",
66
+ "parent": "pcissc-sslc-1.1-1.2"
67
+ },
68
+ {
69
+ "bom-ref": "pcissc-sslc-1.1-1.2.3",
70
+ "identifier": "1.2.3",
71
+ "text": "Personnel are aware of and understand their responsibilities.",
72
+ "parent": "pcissc-sslc-1.1-1.2"
73
+ },
74
+ {
75
+ "bom-ref": "pcissc-sslc-1.1-1.3",
76
+ "identifier": "1.3",
77
+ "text": "Software development personnel maintain skills in software security matters relevant to their specific role, responsibility, and job function.",
78
+ "parent": "pcissc-sslc-1.1-1",
79
+ "descriptions": [
80
+ "To be effective in meeting their software security responsibilities, software development personnel must be trained or have experience in performing such responsibilities and must maintain the appropriate skills to properly carry out those responsibilities.\n\nAt a minimum, all software development personnel must have a basic understanding of general software security concepts and best practices. Individuals with specialized roles and responsibilities should additionally possess specialized skills relevant to the functions they perform. Examples of specialized skills include secure software design (software architects), secure coding techniques (software developers), and security-testing techniques (software testers).\n\nEfforts to maintain those skills may include software vendor- provided training, ongoing participation in local or regional user groups, or the achievement and maintenance of industry-specific certifications. It is up to the software vendor to define the necessary criteria for maintaining appropriate job-specific skills and confirm individual adherence at least annually.\n\nEvidence to support this control objective might include policies and processes, training materials or content, records of on-the-job training or course attendance, individual qualification certificates, continuing education credits, or any other documentation or evidence that clearly and consistently demonstrates that software development personnel possess and maintain appropriate skills and knowledge for their specific job function and responsibilities."
81
+ ]
82
+ },
83
+ {
84
+ "bom-ref": "pcissc-sslc-1.1-1.3.1",
85
+ "identifier": "1.3.1",
86
+ "text": "A mature process is implemented and maintained for managing and maintaining software security skills for software development personnel.",
87
+ "parent": "pcissc-sslc-1.1-1.3"
88
+ },
89
+ {
90
+ "bom-ref": "pcissc-sslc-1.1-1.3.2",
91
+ "identifier": "1.3.2",
92
+ "text": "The skills required for each defined role, responsibility, and job function are clearly defined.",
93
+ "parent": "pcissc-sslc-1.1-1.3"
94
+ },
95
+ {
96
+ "bom-ref": "pcissc-sslc-1.1-1.3.3",
97
+ "identifier": "1.3.3",
98
+ "text": "The criteria for maintaining individual skills are clearly defined.",
99
+ "parent": "pcissc-sslc-1.1-1.3"
100
+ },
101
+ {
102
+ "bom-ref": "pcissc-sslc-1.1-1.3.4",
103
+ "identifier": "1.3.4",
104
+ "text": "The process includes a review at least annually to ensure software development personnel are maintaining the necessary skills for the security responsibilities they have been assigned.",
105
+ "parent": "pcissc-sslc-1.1-1.3"
106
+ },
107
+ {
108
+ "bom-ref": "pcissc-sslc-1.1-1.3.5",
109
+ "identifier": "1.3.5",
110
+ "text": "Software development personnel demonstrate that they possess the skills required for their role, responsibility, or job function.",
111
+ "parent": "pcissc-sslc-1.1-1.3"
112
+ },
113
+ {
114
+ "bom-ref": "pcissc-sslc-1.1-1.3.6",
115
+ "identifier": "1.3.6",
116
+ "text": "Software development personnel satisfy the criteria for maintaining their indivudal skills.",
117
+ "parent": "pcissc-sslc-1.1-1.3"
118
+ },
119
+ {
120
+ "bom-ref": "pcissc-sslc-1.1-2",
121
+ "identifier": "2",
122
+ "title": "Software Security Policy and Strategy",
123
+ "text": "The software vendor defines, maintains, and communicates a software security policy and a strategy for ensuring the secure design, development, and management of its products and services. Performance against the software security strategy is monitored and tracked.",
124
+ "descriptions": ["."]
125
+ },
126
+ {
127
+ "bom-ref": "pcissc-sslc-1.1-2.1",
128
+ "identifier": "2.1",
129
+ "text": "Regulatory and industry security and compliance requirements applicable to the software vendor’s operations, products, and services and the data stored, processed, or transmitted by the software vendor are identified and monitored.",
130
+ "parent": "pcissc-sslc-1.1-2",
131
+ "descriptions": [
132
+ "Many organizations are subject to requirements for the protection of certain types of information and data such as personally identifiable information (PII), cardholder data (CHD), and protected health information (PHI).\n\nSoftware vendors should maintain awareness of evolving industry and regulatory requirements applicable to their operations and products. Maintaining ongoing awareness of external security and compliance obligations allows the software vendor to ensure its processes adequately address those requirements at all times, including whenever those requirements are updated or new requirements are introduced.\n\nEvidence to support this control objective might include documented policies and processes, internal standards, requirement mappings, internal presentations, training materials, or any other documentation or records that clearly and consistently illustrate that the software vendor has made reasonable efforts to understand and monitor its external security and compliance requirements"
133
+ ]
134
+ },
135
+ {
136
+ "bom-ref": "pcissc-sslc-1.1-2.1.1",
137
+ "identifier": "2.1.1",
138
+ "text": "A mature process exists to identify and monitor external regulatory and industry security and compliance requirements.",
139
+ "parent": "pcissc-sslc-1.1-2.1"
140
+ },
141
+ {
142
+ "bom-ref": "pcissc-sslc-1.1-2.1.2",
143
+ "identifier": "2.1.2",
144
+ "text": "The process includes reviewing sources of regulatory and industry security and compliance requirements for changes at least annually.",
145
+ "parent": "pcissc-sslc-1.1-2.1"
146
+ },
147
+ {
148
+ "bom-ref": "pcissc-sslc-1.1-2.1.3",
149
+ "identifier": "2.1.3",
150
+ "text": "The process results in an inventory of external regulatory and industry security and compliance requirements.",
151
+ "parent": "pcissc-sslc-1.1-2.1"
152
+ },
153
+ {
154
+ "bom-ref": "pcissc-sslc-1.1-2.1.4",
155
+ "identifier": "2.1.4",
156
+ "text": "The inventory is updated as external security and compliance requirements change.",
157
+ "parent": "pcissc-sslc-1.1-2.1"
158
+ },
159
+ {
160
+ "bom-ref": "pcissc-sslc-1.1-2.2",
161
+ "identifier": "2.2",
162
+ "text": "A software security policy is defined and establishes the specific rules and goals for ensuring the software vendor’s products and services are designed, developed, and maintained to be secure, resistant to attack, and in a manner that satisfies the software vendor’s security and compliance obligations.",
163
+ "parent": "pcissc-sslc-1.1-2",
164
+ "descriptions": [
165
+ "Software vendors must establish a company-wide software security policy to ensure that all individuals or teams⎯including relevant business partners⎯involved in software design, development, and maintenance are aware and have a consistent understanding of how the vendor’s software products and services should be securely built and maintained, and how any critical assets should be handled. The software security policy (or policies) should be known and thoroughly understood by those with the responsibility to ensure they are met, as well as those individuals and teams who have the ability to affect the security of the software vendor’s products and services. The software vendor’s senior leadership team should openly support the establishment and enforcement of the software security policy through appropriate communications to software vendor personnel, to reinforce the importance of software security to the vendor organization and its leadership.\n\nEvidence to support this control objective might include documented policies and processes, presentations, mission statements, e-mails, company intranet content, or other formal company communications that clearly and consistently illustrate efforts to ensure appropriate personnel and business partners are aware of and understand the vendor’s software security policy."
166
+ ]
167
+ },
168
+ {
169
+ "bom-ref": "pcissc-sslc-1.1-2.2.1",
170
+ "identifier": "2.2.1",
171
+ "text": "A software security policy exists and is communicated to appropriate software vendor personnel and business partners, including all software development personnel.",
172
+ "parent": "pcissc-sslc-1.1-2.2"
173
+ },
174
+ {
175
+ "bom-ref": "pcissc-sslc-1.1-2.2.2",
176
+ "identifier": "2.2.2",
177
+ "text": "At a minimum, the policy covers all control objectives within this standard (either explicitly or implicitly).",
178
+ "parent": "pcissc-sslc-1.1-2.2"
179
+ },
180
+ {
181
+ "bom-ref": "pcissc-sslc-1.1-2.2.3",
182
+ "identifier": "2.2.3",
183
+ "text": "The policy is defined in sufficient detail such that the security rules and goals are measurable.",
184
+ "parent": "pcissc-sslc-1.1-2.2"
185
+ },
186
+ {
187
+ "bom-ref": "pcissc-sslc-1.1-2.2.4",
188
+ "identifier": "2.2.4",
189
+ "text": "The software vendor’s senior leadership team has approved the software security policy.",
190
+ "parent": "pcissc-sslc-1.1-2.2"
191
+ },
192
+ {
193
+ "bom-ref": "pcissc-sslc-1.1-2.2.5",
194
+ "identifier": "2.2.5",
195
+ "text": "Software development personnel are aware of and understand the software security policy.",
196
+ "parent": "pcissc-sslc-1.1-2.2"
197
+ },
198
+ {
199
+ "bom-ref": "pcissc-sslc-1.1-2.3",
200
+ "identifier": "2.3",
201
+ "text": "A formal software security strategy for ensuring the security of the software vendor’s products and services and satisfying its software security policy is established and maintained.",
202
+ "parent": "pcissc-sslc-1.1-2",
203
+ "descriptions": [
204
+ "A software security strategy is a high-level plan, roadmap, or methodology for ensuring the secure design, development, and maintenance of the software vendor’s products and services, and adherence to the software vendor’s software security policy.\n\nSoftware vendors should either adopt existing or develop their own frameworks or methodologies in accordance with industry-accepted practices for secure software lifecycle management. By aligning its software security strategy with industry-accepted methodologies, the software vendor is less likely to overlook important aspects of secure software lifecycle management.\n\nSoftware vendors that develop their own methodologies should understand how they differ from industry-accepted methodologies, identify any gaps, and ensure that sufficient evidence is maintained to clearly illustrate how their methodologies are at least as effective as those accepted by the industry. \n\nExamples of industry-accepted methodologies that are commonly used as benchmarks for secure software development and management include, but are not limited to, current versions of: ISO/IEC 27034 Application Security Guidelines; Building Security In Maturity Model (BSIMM); OWASP Software Assurance Maturity Model (OpenSAMM); and NIST .Special Publication 800-160 and its Appendixes.\n\nThe software security strategy should evolve as internal factors— such as the software vendor’s business strategy or product/service offerings—or external factors—such as external security and compliance requirements—evolve. Therefore, the software security strategy is not static and should be periodically reviewed and updated to maintain alignment with business needs and priorities.\n\nEvidence to support this requirement might include documented security plans or methodologies, presentations, policies and processes, training materials, meeting minutes, interviewer notes, e-mails or executive communications, mappings, or references to industry-accepted methodologies, gap analysis results, or any other records or documentation that clearly and consistently illustrates that the vendor has made a reasonable effort to develop, maintain, and keep current a formal strategy for satisfying the vendor’s software security policy."
205
+ ]
206
+ },
207
+ {
208
+ "bom-ref": "pcissc-sslc-1.1-2.3.1",
209
+ "identifier": "2.3.1",
210
+ "text": "A strategy for ensuring the security of the software vendor’s products and services is defined.",
211
+ "parent": "pcissc-sslc-1.1-2.3"
212
+ },
213
+ {
214
+ "bom-ref": "pcissc-sslc-1.1-2.3.2",
215
+ "identifier": "2.3.2",
216
+ "text": "The software security strategy clearly outlines how the software security policy is to be satisfied.",
217
+ "parent": "pcissc-sslc-1.1-2.3"
218
+ },
219
+ {
220
+ "bom-ref": "pcissc-sslc-1.1-2.3.3",
221
+ "identifier": "2.3.3",
222
+ "text": "The software security strategy is based on or aligned with industry-accepted methodologies.",
223
+ "parent": "pcissc-sslc-1.1-2.3"
224
+ },
225
+ {
226
+ "bom-ref": "pcissc-sslc-1.1-2.3.4",
227
+ "identifier": "2.3.4",
228
+ "text": "The software security strategy covers the entire lifecycle of the software vendor’s products and services.",
229
+ "parent": "pcissc-sslc-1.1-2.3"
230
+ },
231
+ {
232
+ "bom-ref": "pcissc-sslc-1.1-2.3.5",
233
+ "identifier": "2.3.5",
234
+ "text": "The software security strategy is communicated to appropriate personnel, including software development personnel.",
235
+ "parent": "pcissc-sslc-1.1-2.3"
236
+ },
237
+ {
238
+ "bom-ref": "pcissc-sslc-1.1-2.3.6",
239
+ "identifier": "2.3.6",
240
+ "text": "The software security strategy is reviewed at least annually and updated as needed (such as when business needs, external drivers, and products and services evolve).",
241
+ "parent": "pcissc-sslc-1.1-2.3"
242
+ },
243
+ {
244
+ "bom-ref": "pcissc-sslc-1.1-2.3.7",
245
+ "identifier": "2.3.7",
246
+ "text": "Software development personnel are aware of and understand the software security strategy.",
247
+ "parent": "pcissc-sslc-1.1-2.3"
248
+ },
249
+ {
250
+ "bom-ref": "pcissc-sslc-1.1-2.4",
251
+ "identifier": "2.4",
252
+ "text": "Software security assurance processes are implemented and maintained throughout the entire software lifecycle.",
253
+ "parent": "pcissc-sslc-1.1-2",
254
+ "descriptions": [
255
+ "Software security assurance processes are activities that are implemented to carry out the software vendor’s software security strategy and to facilitate secure software design, development, and maintenance. To ensure that security and compliance requirements are met, software security policy is satisfied, and the software vendor’s products and services are secure and resistant to attack, software vendors need to define such processes throughout all phases of the software lifecycle. These may include security “checkpoints,” which are distinct points within the software development process where software is checked to make sure security requirements are met. Examples of software security assurance processes and controls include software-design reviews, automated code reviews, security-specific functional testing, and change-management processes. For organizations that leverage Agile software development methodologies, security checkpoints may be incorporated into the “story” acceptance criteria or the criteria for determining when work is considered “done.”\n\nEvidence to support this requirement might include documented policies and processes, security-control inventories, output from Governance Risk and Compliance (GRC) or other management tools, software-specific requirements documentation, or any other evidence that clearly and consistently identifies the software security assurance processes that have been implemented and illustrates that the security assurance processes are appropriate for the function they are intended to provide. Additionally, evidence to illustrate the software security assurance processes are implemented properly may include system or process outputs such as threat models, security test results, bug tracking data, audit log data, incident response, etc."
256
+ ]
257
+ },
258
+ {
259
+ "bom-ref": "pcissc-sslc-1.1-2.4.1",
260
+ "identifier": "2.4.1",
261
+ "text": "Software security assurance processes are defined, implemented and maintained.",
262
+ "parent": "pcissc-sslc-1.1-2.4"
263
+ },
264
+ {
265
+ "bom-ref": "pcissc-sslc-1.1-2.4.2",
266
+ "identifier": "2.4.2",
267
+ "text": "An inventory of software security assurance processes is maintained.",
268
+ "parent": "pcissc-sslc-1.1-2.4"
269
+ },
270
+ {
271
+ "bom-ref": "pcissc-sslc-1.1-2.4.3",
272
+ "identifier": "2.4.3",
273
+ "text": "Software security assurance processes clearly address the specific rules and goals within the software vendor’s software security policy.",
274
+ "parent": "pcissc-sslc-1.1-2.4"
275
+ },
276
+ {
277
+ "bom-ref": "pcissc-sslc-1.1-2.4.4",
278
+ "identifier": "2.4.4",
279
+ "text": "Software security assurance processes are aligned with the software vendor’s software security strategy",
280
+ "parent": "pcissc-sslc-1.1-2.4"
281
+ },
282
+ {
283
+ "bom-ref": "pcissc-sslc-1.1-2.4.5",
284
+ "identifier": "2.4.5",
285
+ "text": "Software vendor personnel, including software development personnel, are assigned responsibility and accountability for the execution and performance of the security assurance process in accordance with Requirement 1.2.",
286
+ "parent": "pcissc-sslc-1.1-2.4"
287
+ },
288
+ {
289
+ "bom-ref": "pcissc-sslc-1.1-2.4.6",
290
+ "identifier": "2.4.6",
291
+ "text": "The individuals or teams responsible for performing and maintaining each security assurance process are clearly aware of their responsibilities.",
292
+ "parent": "pcissc-sslc-1.1-2.4"
293
+ },
294
+ {
295
+ "bom-ref": "pcissc-sslc-1.1-2.4.7",
296
+ "identifier": "2.4.7",
297
+ "text": "The results or outcomes of each security assurance process are monitored in accordance with Requirement 2.6.",
298
+ "parent": "pcissc-sslc-1.1-2.4"
299
+ },
300
+ {
301
+ "bom-ref": "pcissc-sslc-1.1-2.5",
302
+ "identifier": "2.5",
303
+ "text": "Evidence is generated and maintained to demonstrate the effectiveness of software security assurance processes.",
304
+ "parent": "pcissc-sslc-1.1-2",
305
+ "descriptions": [
306
+ "To demonstrate the effectiveness of software security assurance processes, evidence should be generated and maintained for each process to illustrate that it directly results in or contributes to the expected security outcomes—e.g., fewer vulnerabilities or greater resistance to attacks.\n\nEvidence needs to be frequently collected and kept up to date to ensure it accurately reflects the ongoing effectiveness of security assurance processes. Without a track record of performance for software security assurance processes, it becomes almost impossible to effectively perform root-cause analysis when such processes fail to produce the expected results.\n\nEvidence to support this objective might include security control and evidence generation inventories, vulnerability reports, penetration testing results, or any other records and evidence that clearly and consistently illustrates evidence is generated for each software security assurance process and that the evidence clearly illustrates the effectiveness of the processes."
307
+ ]
308
+ },
309
+ {
310
+ "bom-ref": "pcissc-sslc-1.1-2.5.1",
311
+ "identifier": "2.5.1",
312
+ "text": "Evidence is generated and maintained for each security assurance process.",
313
+ "parent": "pcissc-sslc-1.1-2.5"
314
+ },
315
+ {
316
+ "bom-ref": "pcissc-sslc-1.1-2.5.2",
317
+ "identifier": "2.5.2",
318
+ "text": "The evidence generated for each process reasonably demonstrates the process is operating effectively and as intended.",
319
+ "parent": "pcissc-sslc-1.1-2.5"
320
+ },
321
+ {
322
+ "bom-ref": "pcissc-sslc-1.1-2.6",
323
+ "identifier": "2.6",
324
+ "text": "Failures or weaknesses in software security assurance processes are detected. Weak or ineffective security assurance processes are updated, augmented or replaced.",
325
+ "parent": "pcissc-sslc-1.1-2",
326
+ "descriptions": [
327
+ "Software vendors should monitor their security assurance processes to confirm that they remain appropriate (i.e., fit for purpose) and effective for their intended purpose and function. For example, the use of manual code reviews may be sufficient to detect all coding errors and vulnerabilities for software with a very limited code base. However, as the code base grows, the use of manual code reviews for the same purpose becomes increasingly impractical or insufficient, and automated testing tools (such as automated static-code scanners and dynamic software-analysis tools) should be utilized.\n\nOne method for detecting weak or ineffective security controls is to define a set of metrics or trends that can be used to measure the effectiveness of security assurance processes. For example, the results from a vendor’s security testing may provide greater insight into the effectiveness of security assurance processes. If security tests repeatedly find vulnerabilities within the software, it may be an indication that applicable security assurance processes are not being executed properly or working as intended. Another method to detect weak or ineffective security assurance processes would be to perform regular reviews of those processes and the evidence generated by those processes to verify they continue to be appropriate for their intended purpose.\n\nEvidence to support this requirement might include process- generated evidence, security test results, root-cause analysis, documented remediation actions, or any other evidence that clearly and consistently illustrates that the effectiveness of software security assurance processes is monitored, failures and weaknesses are detected, and security assurance processes are updated, augmented or replaced when no longer effective at satisfying their intended purpose."
328
+ ]
329
+ },
330
+ {
331
+ "bom-ref": "pcissc-sslc-1.1-2.6.1",
332
+ "identifier": "2.6.1",
333
+ "text": "A mature process exists to detect and evaluate weak or ineffective security assurance processes.",
334
+ "parent": "pcissc-sslc-1.1-2.6"
335
+ },
336
+ {
337
+ "bom-ref": "pcissc-sslc-1.1-2.6.2",
338
+ "identifier": "2.6.2",
339
+ "text": "The criteria for determining a weak or ineffective security assurance process is defined and justified.",
340
+ "parent": "pcissc-sslc-1.1-2.6"
341
+ },
342
+ {
343
+ "bom-ref": "pcissc-sslc-1.1-2.6.3",
344
+ "identifier": "2.6.3",
345
+ "text": "Security assurance processes are updated, augmented or replaced when deemed weak or ineffective.",
346
+ "parent": "pcissc-sslc-1.1-2.6"
347
+ },
348
+ {
349
+ "bom-ref": "pcissc-sslc-1.1-3",
350
+ "identifier": "3",
351
+ "title": "Threat Identification and Mitigation",
352
+ "text": "The software vendor continuously identifies, assesses, and manages risk to its software and services."
353
+ },
354
+ {
355
+ "bom-ref": "pcissc-sslc-1.1-3.1",
356
+ "identifier": "3.1",
357
+ "text": "Critical assets are identified and classified.",
358
+ "parent": "pcissc-sslc-1.1-3",
359
+ "descriptions": [
360
+ "Before the software vendor can determine how to effectively secure and defend its software against attacks, it must first develop a thorough understanding of the software’s critical assets that could be targeted by attackers.\n\nCritical assets include any sensitive data collected, stored, processed, or transmitted by the vendor’s software, as well as any sensitive functions and sensitive resources within or used by the software. Examples of analysis techniques that could be used to identify critical assets include, but are not limited to, Mission Impact Analysis (MIA), Functional Dependency Network Analysis (FDNA), and Mission Threat Analysis."
361
+ ]
362
+ },
363
+ {
364
+ "bom-ref": "pcissc-sslc-1.1-3.1.1",
365
+ "identifier": "3.1.1",
366
+ "text": "A mature process exists to identify and classify critical assets.",
367
+ "parent": "pcissc-sslc-1.1-3.1"
368
+ },
369
+ {
370
+ "bom-ref": "pcissc-sslc-1.1-3.1.2",
371
+ "identifier": "3.1.2",
372
+ "text": "The criteria for identifying critical assets and determining the confidentiality, integrity, and resiliency requirements for each critical asset are defined.",
373
+ "parent": "pcissc-sslc-1.1-3.1"
374
+ },
375
+ {
376
+ "bom-ref": "pcissc-sslc-1.1-3.1.3",
377
+ "identifier": "3.1.3",
378
+ "text": "The process accounts for all types of critical assets—including sensitive data, sensitive resources, and sensitive functions—for the vendor’s software.",
379
+ "parent": "pcissc-sslc-1.1-3.1"
380
+ },
381
+ {
382
+ "bom-ref": "pcissc-sslc-1.1-3.1.4",
383
+ "identifier": "3.1.4",
384
+ "text": "The process results in an inventory of critical assets used by the vendor’s software.",
385
+ "parent": "pcissc-sslc-1.1-3.1"
386
+ },
387
+ {
388
+ "bom-ref": "pcissc-sslc-1.1-3.2",
389
+ "identifier": "3.2",
390
+ "text": "Threats to the software and weaknesses within its design are continuously identified and assessed.",
391
+ "parent": "pcissc-sslc-1.1-3",
392
+ "descriptions": [
393
+ "Determining how to effectively secure and defend software against attacks requires a thorough understanding of the specific threats and vulnerabilities applicable to the vendor’s software. This typically involves understanding the motivations an attacker may have for attacking software; weaknesses in the software design that an attacker might attempt to exploit; the exploitability of identified weaknesses; and the impact of a successful attack.\n\nThis information helps the software vendor to identify the threats and design flaws that present the most significant and immediate risk, and to prioritize remediation activities necessary to address them.\n\nInformation regarding software threats can be obtained from a variety of sources, both external and internal. Examples of external sources include publications from organizations such as SANS, MITRE, and CERT that specialize in tracking common system vulnerabilities and attack techniques, or industry-specific sources that provide threat intelligence for specific sectors, such as FS-ISAC for the financial services industry and R-CISC for the retail industry. Other external sources of threat information and design weaknesses could include technology vendors, open-source user communities, industry publications, and academic papers. Internal sources could include reports from internal research and design teams, formal threat models, or actual activity data from internal security or operations teams.\n\nWhere open-source software components are used, the software vendor should consider any risks associated with the use of the open-source components and the extent to which the open-source software provider manages the security of those components. Additionally, the software vendor will need to confirm that support—including up-to-date security patches—is available (whether provided by an internal or external entity) for the open-source component. The use of open-source components should be supported by a clear policy about how those components are evaluated and implemented. A reliable support system should be in place to identify errors or problems and evaluate and address them in a timely manner.\n\nWhere vulnerabilities are identified in open-source components that are applicable to their software, software vendors should have processes in place to analyze those vulnerabilities and update the components to appropriate, non-vulnerable versions in a timely manner. When patches for open-source components are no longer available, those components should be replaced by actively supported ones. Vendors should identify and establish sources and processes for managing vulnerabilities in open-source components that are appropriate for their software design and release frequency."
394
+ ]
395
+ },
396
+ {
397
+ "bom-ref": "pcissc-sslc-1.1-3.2.1",
398
+ "identifier": "3.2.1",
399
+ "text": "A mature process exists to identify, assess, and monitor software threats and design weaknesses (i.e., flaws).",
400
+ "parent": "pcissc-sslc-1.1-3.2"
401
+ },
402
+ {
403
+ "bom-ref": "pcissc-sslc-1.1-3.2.2",
404
+ "identifier": "3.2.2",
405
+ "text": "The assessment accounts for all software inputs/outputs, process/data flows, trust boundaries and decision points, and how they may be exploited by an attacker.",
406
+ "parent": "pcissc-sslc-1.1-3.2"
407
+ },
408
+ {
409
+ "bom-ref": "pcissc-sslc-1.1-3.2.3",
410
+ "identifier": "3.2.3",
411
+ "text": "The assessment accounts for the entire code base, including how the use of third-party, open-source, or shared components or libraries, APIs, services, and applications used for the delivery and operation of the software may be leveraged in an attack.",
412
+ "parent": "pcissc-sslc-1.1-3.2"
413
+ },
414
+ {
415
+ "bom-ref": "pcissc-sslc-1.1-3.2.4",
416
+ "identifier": "3.2.4",
417
+ "text": "The assessment results in a recorded inventory of threats and design flaws.",
418
+ "parent": "pcissc-sslc-1.1-3.2"
419
+ },
420
+ {
421
+ "bom-ref": "pcissc-sslc-1.1-3.2.5",
422
+ "identifier": "3.2.5",
423
+ "text": "Assessments are routinely performed to account for changes to existing or the emergence of new threats or design flaws.",
424
+ "parent": "pcissc-sslc-1.1-3.2"
425
+ },
426
+ {
427
+ "bom-ref": "pcissc-sslc-1.1-3.2.6",
428
+ "identifier": "3.2.6",
429
+ "text": "An inventory of open-source components used in the vendor’s software is maintained.",
430
+ "parent": "pcissc-sslc-1.1-3.2"
431
+ },
432
+ {
433
+ "bom-ref": "pcissc-sslc-1.1-3.2.7",
434
+ "identifier": "3.2.7",
435
+ "text": "A mature process exists to analyze and mitigate the use of open-source components with known vulnerabilities.",
436
+ "parent": "pcissc-sslc-1.1-3.2"
437
+ },
438
+ {
439
+ "bom-ref": "pcissc-sslc-1.1-3.2.8",
440
+ "identifier": "3.2.8",
441
+ "text": "The software vendor monitors vulnerabilities in open-source components throughout their use or inclusion in the vendor’s software.",
442
+ "parent": "pcissc-sslc-1.1-3.2"
443
+ },
444
+ {
445
+ "bom-ref": "pcissc-sslc-1.1-3.2.9",
446
+ "identifier": "3.2.9",
447
+ "text": "An appropriate patching strategy for open- source components is defined.",
448
+ "parent": "pcissc-sslc-1.1-3.2"
449
+ },
450
+ {
451
+ "bom-ref": "pcissc-sslc-1.1-3.3",
452
+ "identifier": "3.3",
453
+ "text": "Software security controls are implemented in the software to mitigate threats and design weaknesses.",
454
+ "parent": "pcissc-sslc-1.1-3",
455
+ "descriptions": [
456
+ "To ensure that its software is resistant to attacks, software vendors must implement software-specific controls or countermeasures in their software to mitigate the specific threats and design weaknesses. Examples of such controls include the use of multi-factor authentication mechanisms to prevent unauthorized individuals gaining access to critical assets, and logging mechanisms to detect if and when authentication mechanisms might have been circumvented. Other examples include the use of input validation routines or parameterized queries to protect software from SQL-injection attacks. Except where specific software security controls and countermeasures are defined within this standard, it is up to the vendor to determine the most appropriate software security controls to implement. The specific controls used will be dependent on the software threats identified in Requirement 3.2 as well as the software’s architecture, the software’s intended function, the data it handles, and the external resources it utilizes.\n\nEvidence to support this control objective may include software- specific requirements documentation, feature lists, security control inventories, change-management documentation, risk assessment reports, test results, or any other evidence or information that clearly and consistently illustrates that the software vendor implements and maintains security controls in software to address the risks to that software."
457
+ ]
458
+ },
459
+ {
460
+ "bom-ref": "pcissc-sslc-1.1-3.3.1",
461
+ "identifier": "3.3.1",
462
+ "text": "A mature process exists for defining software- specific security requirements and implementing software security controls within the software to mitigate software threats and design flaws.",
463
+ "parent": "pcissc-sslc-1.1-3.3"
464
+ },
465
+ {
466
+ "bom-ref": "pcissc-sslc-1.1-3.3.2",
467
+ "identifier": "3.3.2",
468
+ "text": "Decisions on whether and how to mitigate a specific threat or design flaw are recorded, justified, and approved by appropriate personnel.",
469
+ "parent": "pcissc-sslc-1.1-3.3"
470
+ },
471
+ {
472
+ "bom-ref": "pcissc-sslc-1.1-3.3.3",
473
+ "identifier": "3.3.3",
474
+ "text": "Any remaining residual risk is recorded, justified, and approved by appropriate personnel.",
475
+ "parent": "pcissc-sslc-1.1-3.3"
476
+ },
477
+ {
478
+ "bom-ref": "pcissc-sslc-1.1-3.4",
479
+ "identifier": "3.4",
480
+ "text": "Failures or weaknesses in software security controls are detected. Weak or ineffective security controls are updated, augmented or replaced.",
481
+ "parent": "pcissc-sslc-1.1-3",
482
+ "descriptions": [
483
+ "Vendors should monitor and/or routinely test their software to confirm that implemented software security controls remain appropriate (i.e., fit for purpose) and effective for sufficiently mitigating evolving risks or design flaws. For example, a software-specific security requirement may call for cryptography to be used to protect software communications. While the use of SSL may have been sufficient upon the initial design and release of the software, SSL is no longer sufficient to adequately protect communications as new threats and attack methods have significantly reduced its effectiveness as a security control. Therefore, it is imperative that vendors have processes in place to continuously monitor implemented security controls to make sure that they remain appropriate and sufficient to mitigate evolving threats and design flaws throughout the entire lifetime of the software.\n\nEvidence to support this requirement might include software- specific documentation, features lists, software-specific security control inventories, change-management documentation, risk- assessment reports, penetration test results, output from active monitoring systems, bug bounty program data, or any other evidence or information that clearly and consistently illustrates that the effectiveness of software security controls is monitored and that software-specific software security controls are updated, augmented, or replaced when no longer effective at satisfying their intended purpose of resisting attacks."
484
+ ]
485
+ },
486
+ {
487
+ "bom-ref": "pcissc-sslc-1.1-3.4.1",
488
+ "identifier": "3.4.1",
489
+ "text": "A mature process exists to identify weak or ineffective software security controls and to update, augment, or replace them.",
490
+ "parent": "pcissc-sslc-1.1-3.4"
491
+ },
492
+ {
493
+ "bom-ref": "pcissc-sslc-1.1-3.4.2",
494
+ "identifier": "3.4.2",
495
+ "text": "The criteria for determining a weak or ineffective security control is defined and justified.",
496
+ "parent": "pcissc-sslc-1.1-3.4"
497
+ },
498
+ {
499
+ "bom-ref": "pcissc-sslc-1.1-3.4.3",
500
+ "identifier": "3.4.3",
501
+ "text": "The process involves monitoring security control effectiveness throughout the software lifecycle.",
502
+ "parent": "pcissc-sslc-1.1-3.4"
503
+ },
504
+ {
505
+ "bom-ref": "pcissc-sslc-1.1-3.4.4",
506
+ "identifier": "3.4.4",
507
+ "text": "Weak or ineffective security controls are updated, augmented, or replaced in a timely manner upon detection.",
508
+ "parent": "pcissc-sslc-1.1-3.4"
509
+ },
510
+ {
511
+ "bom-ref": "pcissc-sslc-1.1-3.5.5",
512
+ "identifier": "3.5.5",
513
+ "text": "Decisions on whether and how to replace and augment weak or ineffective security controls are made in accordance with defined criteria and with Requirement 3.3.",
514
+ "parent": "pcissc-sslc-1.1-3.5"
515
+ },
516
+ {
517
+ "bom-ref": "pcissc-sslc-1.1-4",
518
+ "identifier": "4",
519
+ "title": "Vulnerability Detection and Mitigation",
520
+ "text": "The software vendor detects and mitigates vulnerabilities in software to ensure that its software remains resistant to attacks throughout its entire lifecycle."
521
+ },
522
+ {
523
+ "bom-ref": "pcissc-sslc-1.1-4.1",
524
+ "identifier": "4.1",
525
+ "text": "Existing and emerging software vulnerabilities are detected in a timely manner.",
526
+ "parent": "pcissc-sslc-1.1-4",
527
+ "descriptions": [
528
+ "Software should be monitored or routinely tested to confirm that vulnerabilities are identified and mitigated before software or code updates are released into production, and to address any vulnerabilities that may have been discovered since release.\n\nRoutine security testing should be performed prior to or as part of the code-commit process to detect coding errors or the use of insecure functions. It could also be performed during unit, integration, regression, or interoperability testing, or during separate security testing. Security testing should be performed consistently and throughout all stages of the software lifecycle, including during various pre-release phases of the software development process and after code release, to ensure the software is free from vulnerabilities upon launch and any subsequent updates, and remains free from vulnerabilities throughout its lifetime.\n\nSecurity testing should be performed by appropriately skilled vendor personnel or third parties. In addition, security testing personnel should be able to conduct tests in an objective manner and be authorized to escalate any identified vulnerabilities to appropriate management or development personnel so they can be properly addressed.\n\nEvidence to support this control objective could include software- specific requirements documentation, security test results, feature lists, change-management documentation, entries in the vendor’s workflow (bug tracking) database, or any other evidence or information that clearly and consistently shows that security testing is performed routinely to detect vulnerabilities in code prior to release as well as vulnerabilities discovered since code launch."
529
+ ]
530
+ },
531
+ {
532
+ "bom-ref": "pcissc-sslc-1.1-4.1.1",
533
+ "identifier": "4.1.1",
534
+ "text": "A mature process exists for testing software for the existence and emergence of vulnerabilities (i.e., security testing).",
535
+ "parent": "pcissc-sslc-1.1-4.1"
536
+ },
537
+ {
538
+ "bom-ref": "pcissc-sslc-1.1-4.1.2",
539
+ "identifier": "4.1.2",
540
+ "text": "Tools or methods used for security testing are appropriate for detecting applicable vulnerabilities in the vendor’s software, and are suitable for the software architectures, and the software development languages and frameworks employed.",
541
+ "parent": "pcissc-sslc-1.1-4.1"
542
+ },
543
+ {
544
+ "bom-ref": "pcissc-sslc-1.1-4.1.3",
545
+ "identifier": "4.1.3",
546
+ "text": "Security testing is performed throughout the entire software lifecycle, including after release.",
547
+ "parent": "pcissc-sslc-1.1-4.1"
548
+ },
549
+ {
550
+ "bom-ref": "pcissc-sslc-1.1-4.1.4",
551
+ "identifier": "4.1.4",
552
+ "text": "Security testing accounts for the entire code base, including detecting vulnerabilities in any third-party, open-source, and shared components and libraries.",
553
+ "parent": "pcissc-sslc-1.1-4.1"
554
+ },
555
+ {
556
+ "bom-ref": "pcissc-sslc-1.1-4.1.5",
557
+ "identifier": "4.1.5",
558
+ "text": "Security testing is performed by authorized and objective vendor personnel or third parties.",
559
+ "parent": "pcissc-sslc-1.1-4.1"
560
+ },
561
+ {
562
+ "bom-ref": "pcissc-sslc-1.1-4.1.6",
563
+ "identifier": "4.1.6",
564
+ "text": "Security testing results in an inventory of identified vulnerabilities.",
565
+ "parent": "pcissc-sslc-1.1-4.1"
566
+ },
567
+ {
568
+ "bom-ref": "pcissc-sslc-1.1-4.1.7",
569
+ "identifier": "4.1.7",
570
+ "text": "Security-testing details including the tools used, their configurations, and the specific tests performed are recorded and retained.",
571
+ "parent": "pcissc-sslc-1.1-4.1"
572
+ },
573
+ {
574
+ "bom-ref": "pcissc-sslc-1.1-4.2",
575
+ "identifier": "4.2",
576
+ "text": "Newly discovered vulnerabilities are fixed in a timely manner. The reintroduction of similar or previously resolved vulnerabilities is prevented.",
577
+ "parent": "pcissc-sslc-1.1-4",
578
+ "descriptions": [
579
+ "Vulnerabilities should be addressed in a manner commensurate with the risk they pose to the software or its stakeholders. The most critical or severe vulnerabilities⎯i.e., those with the highest exploitability and/or the greatest impact to stakeholders⎯should be patched immediately, followed by those with moderate-to-low exploitability and/or impact. Additionally, the discovery of new classes of vulnerabilities should be used as a source of input for process improvement. Software should be reviewed for instances of similar vulnerabilities, and the vendor’s development processes updated to enable detection and mitigation of such vulnerabilities in the future.\n\nIn some cases, it may be impractical for a vendor to fix all identified vulnerabilities prior to the release of production code or updates. In such circumstances, the vendor should have a methodology with clear criteria defined for prioritizing vulnerability fixes. The default outcome should always be that vulnerabilities are fixed before the software is released. In cases where it is not possible to fix a vulnerability prior to release, an exception process involving management at a level commensurate with the severity of the vulnerability should be invoked. The process should include documented justification for why a fix for was not provided to address the vulnerability.\n\nIf it is not possible to mitigate a certain vulnerability prior to release, the vendor should provide stakeholders with additional guidance to mitigate the risk of exploitation until a security update to fix the vulnerability can be made available.\n\nUnder no circumstances should a previously resolved vulnerability be reintroduced into production code, nor should similar vulnerabilities within the same class of vulnerabilities be reintroduced. Additional assurance processes and safeguards should be implemented to ensure that such incidents are avoided. The specific processes to prevent such occurrences will largely depend on how the vendor’s software is structured and how the vendor manages software updates. It is up to the software vendor to determine the most appropriate methods to prevent the reintroduction of vulnerabilities into production code."
580
+ ]
581
+ },
582
+ {
583
+ "bom-ref": "pcissc-sslc-1.1-4.2.1",
584
+ "identifier": "4.2.1",
585
+ "text": "A mature process exists for distributing and deploying fixes for newly discovered vulnerabilities and preventing the reintroduction of previously resolved vulnerabilities.",
586
+ "parent": "pcissc-sslc-1.1-4.2"
587
+ },
588
+ {
589
+ "bom-ref": "pcissc-sslc-1.1-4.2.2",
590
+ "identifier": "4.2.2",
591
+ "text": "The process includes methods to prevent previously resolved vulnerabilities or other similar vulnerabilities from being reintroduced into the software.",
592
+ "parent": "pcissc-sslc-1.1-4.2"
593
+ },
594
+ {
595
+ "bom-ref": "pcissc-sslc-1.1-4.2.3",
596
+ "identifier": "4.2.3",
597
+ "text": "The criteria for determining the “criticality” or “severity” of vulnerabilities and how to address vulnerabilities are defined and justified.",
598
+ "parent": "pcissc-sslc-1.1-4.2"
599
+ },
600
+ {
601
+ "bom-ref": "pcissc-sslc-1.1-4.2.4",
602
+ "identifier": "4.2.4",
603
+ "text": "Fixes to address vulnerabilities in production code are made available and deployed in accordance with defined criteria.",
604
+ "parent": "pcissc-sslc-1.1-4.2"
605
+ },
606
+ {
607
+ "bom-ref": "pcissc-sslc-1.1-4.2.5",
608
+ "identifier": "4.2.5",
609
+ "text": "Decisions not to provide fixes in accordance with defined criteria are approved and justified by appropriate personnel on a case-by-case basis.",
610
+ "parent": "pcissc-sslc-1.1-4.2"
611
+ },
612
+ {
613
+ "bom-ref": "pcissc-sslc-1.1-5",
614
+ "identifier": "5",
615
+ "title": "Change Management",
616
+ "text": "The software vendor identifies and manages all software changes throughout the software lifecycle."
617
+ },
618
+ {
619
+ "bom-ref": "pcissc-sslc-1.1-5.1",
620
+ "identifier": "5.1",
621
+ "text": "All changes to software are identified, assessed, and approved.",
622
+ "parent": "pcissc-sslc-1.1-5",
623
+ "descriptions": [
624
+ "All changes to software should be defined, documented, approved, and tracked so that any vulnerabilities attributed to such changes may be identified and resolved as quickly as possible. The harder it is to trace vulnerabilities back to the changes that introduced them, the longer it takes to resolve those vulnerabilities⎯thus placing the software at greater risk of attack or compromise.\n\nIt is imperative to understand the security risk of a change to the software to ensure that it is addressed accordingly. It often involves understanding the types of software functionality the change impacts (e.g., functionality that deals with encryption or authentication processes), the type of information assets that the functionality can access or manipulate, the likelihood of successful vulnerability exploitation, and the impact a successful attack may have on stakeholders."
625
+ ]
626
+ },
627
+ {
628
+ "bom-ref": "pcissc-sslc-1.1-5.1.1",
629
+ "identifier": "5.1.1",
630
+ "text": "A mature process exists to identify, assess, and approve all changes to software.",
631
+ "parent": "pcissc-sslc-1.1-5.1"
632
+ },
633
+ {
634
+ "bom-ref": "pcissc-sslc-1.1-5.1.2",
635
+ "identifier": "5.1.2",
636
+ "text": "The process includes an analysis of the security impact of all changes.",
637
+ "parent": "pcissc-sslc-1.1-5.1"
638
+ },
639
+ {
640
+ "bom-ref": "pcissc-sslc-1.1-5.1.3",
641
+ "identifier": "5.1.3",
642
+ "text": "The process results in an inventory of all changes made to software, including a record of the determined security impact.",
643
+ "parent": "pcissc-sslc-1.1-5.1"
644
+ },
645
+ {
646
+ "bom-ref": "pcissc-sslc-1.1-5.1.4",
647
+ "identifier": "5.1.4",
648
+ "text": "All change-management decisions are recorded.",
649
+ "parent": "pcissc-sslc-1.1-5.1"
650
+ },
651
+ {
652
+ "bom-ref": "pcissc-sslc-1.1-5.1.5",
653
+ "identifier": "5.1.5",
654
+ "text": "All implemented changes are authorized by\nresponsible personnel.",
655
+ "parent": "pcissc-sslc-1.1-5.1"
656
+ },
657
+ {
658
+ "bom-ref": "pcissc-sslc-1.1-5.1.6",
659
+ "identifier": "5.1.6",
660
+ "text": "The inventory of changes identifies the individual creator of the code and individual authorizing the change, for each code change.",
661
+ "parent": "pcissc-sslc-1.1-5.1"
662
+ },
663
+ {
664
+ "bom-ref": "pcissc-sslc-1.1-5.1.7",
665
+ "identifier": "5.1.7",
666
+ "text": "All decisions to implement changes are justified.",
667
+ "parent": "pcissc-sslc-1.1-5.1"
668
+ },
669
+ {
670
+ "bom-ref": "pcissc-sslc-1.1-5.2",
671
+ "identifier": "5.2",
672
+ "text": "All software versions are uniquely identified and tracked throughout the software lifecycle.",
673
+ "parent": "pcissc-sslc-1.1-5",
674
+ "descriptions": [
675
+ "Without a thoroughly defined versioning methodology, changes to software may not be properly identified, and customers and integrators/resellers may not understand the impact of such changes.\n\nThe system or methodology adopted by the vendor should allow different release versions of a software product to be easily distinguishable. To ensure a software version accurately represents the release version, the versioning system or methodology should be integrated with applicable lifecycle functions, such as code control and change management.\n\nThe versioning system or methodology should encompass all changes to all relevant software components. As several iterations of a software component may be produced for a single software release, the versioning system or methodology should easily identify the version of each component associated with a specific software release version.\n\nThe method used for identifying the software release versions—for example, a version numbering scheme— should be documented and reflect the type of change and its impact on the software.\n\nFor software intended to be validated under the PCI Software Security Framework, the vendor’s versioning system or methodology is important in determining updates to the PCI SSC List of Validated Payment Software. Refer to the PCI Secure Software Program Guide for further information."
676
+ ]
677
+ },
678
+ {
679
+ "bom-ref": "pcissc-sslc-1.1-5.2.1",
680
+ "identifier": "5.2.1",
681
+ "text": "A formal system or methodology for uniquely identifying each version of software is defined.",
682
+ "parent": "pcissc-sslc-1.1-5.2"
683
+ },
684
+ {
685
+ "bom-ref": "pcissc-sslc-1.1-5.2.2",
686
+ "identifier": "5.2.2",
687
+ "text": "The system or methodology includes arranging unique identifiers or version elements in a sequential and logical manner.",
688
+ "parent": "pcissc-sslc-1.1-5.2"
689
+ },
690
+ {
691
+ "bom-ref": "pcissc-sslc-1.1-5.2.3",
692
+ "identifier": "5.2.3",
693
+ "text": "All changes to software functionality are clearly associated with a unique software version.",
694
+ "parent": "pcissc-sslc-1.1-5.2"
695
+ },
696
+ {
697
+ "bom-ref": "pcissc-sslc-1.1-5.2.4",
698
+ "identifier": "5.2.4",
699
+ "text": "Software versions are updated in accordance with the defined versioning system or methodology.",
700
+ "parent": "pcissc-sslc-1.1-5.2"
701
+ },
702
+ {
703
+ "bom-ref": "pcissc-sslc-1.1-6",
704
+ "identifier": "6",
705
+ "title": "Software Integrity Protection",
706
+ "text": "The integrity of software is protected throughout the software lifecycle."
707
+ },
708
+ {
709
+ "bom-ref": "pcissc-sslc-1.1-6.1",
710
+ "identifier": "6.1",
711
+ "text": "The integrity of all software code, including third-party components, is maintained throughout the entire software lifecycle.",
712
+ "parent": "pcissc-sslc-1.1-6",
713
+ "descriptions": [
714
+ "Effective software-code control practices help ensure that all changes to code are authorized and performed only by those with a legitimate reason to change the code. Examples of these practices include code check-in and check-out procedures with strict access controls, and a comparison—for example, using a checksum—immediately before updating code to confirm that the last approved version has not been changed. It is important that controls cover all software code, third-party components and libraries, configuration files, etc. that are controlled by the vendor.\n\nThe integrity and confidentiality of these assets need to be maintained, as they often contain sensitive data such as intellectual property⎯for example, business logic—logic of security functions, configuration of cryptographic functions (e.g., white-box cryptography), etc."
715
+ ]
716
+ },
717
+ {
718
+ "bom-ref": "pcissc-sslc-1.1-6.1.1",
719
+ "identifier": "6.1.1",
720
+ "text": "A mature process, mechanism, and/or tool(s) exist to protect the integrity of the software code, including third-party components.",
721
+ "parent": "pcissc-sslc-1.1-6.1"
722
+ },
723
+ {
724
+ "bom-ref": "pcissc-sslc-1.1-6.1.2",
725
+ "identifier": "6.1.2",
726
+ "text": "The processes, mechanisms, and/or tools are reasonable and appropriate for protecting the integrity of software code.",
727
+ "parent": "pcissc-sslc-1.1-6.1"
728
+ },
729
+ {
730
+ "bom-ref": "pcissc-sslc-1.1-6.1.3",
731
+ "identifier": "6.1.3",
732
+ "text": "Processes, mechanisms, or the use of tools results in the timely detection of any unauthorized attempts to tamper with or access software code.",
733
+ "parent": "pcissc-sslc-1.1-6.1"
734
+ },
735
+ {
736
+ "bom-ref": "pcissc-sslc-1.1-6.1.4",
737
+ "identifier": "6.1.4",
738
+ "text": "Unauthorized attempts to tamper with or access software code are investigated in a timely manner.",
739
+ "parent": "pcissc-sslc-1.1-6.1"
740
+ },
741
+ {
742
+ "bom-ref": "pcissc-sslc-1.1-6.2",
743
+ "identifier": "6.2",
744
+ "text": "Software releases and updates are delivered in a secure manner that ensures the integrity of the updated code.",
745
+ "parent": "pcissc-sslc-1.1-6",
746
+ "descriptions": [
747
+ "Security updates should include a mechanism within the update process to verify the updated code has not been replaced or tampered with. Examples of integrity checks include checksums and properly implemented digitally signed certificates.\n\nTo ensure the implemented controls are adequate to address the evolving attack vectors, software vendors should perform periodic reviews to confirm their continued effectiveness."
748
+ ]
749
+ },
750
+ {
751
+ "bom-ref": "pcissc-sslc-1.1-6.2.1",
752
+ "identifier": "6.2.1",
753
+ "text": "A mature process, mechanism, and/or tool(s) exist to ensure the integrity of software updates during delivery.",
754
+ "parent": "pcissc-sslc-1.1-6.2"
755
+ },
756
+ {
757
+ "bom-ref": "pcissc-sslc-1.1-6.2.2",
758
+ "identifier": "6.2.2",
759
+ "text": "The processes, mechanisms, and/or tools are reasonable and appropriate for protecting the update code.",
760
+ "parent": "pcissc-sslc-1.1-6.2"
761
+ },
762
+ {
763
+ "bom-ref": "pcissc-sslc-1.1-6.2.3",
764
+ "identifier": "6.2.3",
765
+ "text": "Processes, mechanisms, and/or the use of tools results in the secure delivery of updated code.",
766
+ "parent": "pcissc-sslc-1.1-6.2"
767
+ },
768
+ {
769
+ "bom-ref": "pcissc-sslc-1.1-7",
770
+ "identifier": "7",
771
+ "title": "Sensitive Data Protection",
772
+ "text": "The confidentiality of sensitive production data is maintained on vendor systems."
773
+ },
774
+ {
775
+ "bom-ref": "pcissc-sslc-1.1-7.1",
776
+ "identifier": "7.1",
777
+ "text": "Sensitive production data is only collected and retained on software vendor systems where there is a legitimate business or technical need.",
778
+ "parent": "pcissc-sslc-1.1-7",
779
+ "descriptions": [
780
+ "To protect the confidentiality of any sensitive production data—that is, sensitive data that is owned by an entity other than the software vendor— and stored on software vendor systems, such data should never be used for purposes other than those for which the data was originally collected. If the software vendor provides services to its stakeholders that could result in the collection of sensitive production data⎯for example, for troubleshooting or debugging purposes⎯then the software vendor should record which specific data elements it collects and retains, and clearly communicate what data elements are collected and why they are collected to its customers and other relevant stakeholders.\n\nThe inventory of sensitive production data retained by the software vendor should include identification of the specific data elements captured, whether storage of each element is permitted, and the security controls required—for example, to protect confidentiality and/or integrity—for each data element during storage and transmission"
781
+ ]
782
+ },
783
+ {
784
+ "bom-ref": "pcissc-sslc-1.1-7.1.1",
785
+ "identifier": "7.1.1",
786
+ "text": "A mature process exists to record and authorize the collection and retention of any sensitive production data.",
787
+ "parent": "pcissc-sslc-1.1-7.1"
788
+ },
789
+ {
790
+ "bom-ref": "pcissc-sslc-1.1-7.1.2",
791
+ "identifier": "7.1.2",
792
+ "text": "An inventory of sensitive production data captured or stored by the software vendor’s products and services is maintained.",
793
+ "parent": "pcissc-sslc-1.1-7.1"
794
+ },
795
+ {
796
+ "bom-ref": "pcissc-sslc-1.1-7.1.3",
797
+ "identifier": "7.1.3",
798
+ "text": "Decisions to use sensitive production data are approved by appropriate software vendor personnel.",
799
+ "parent": "pcissc-sslc-1.1-7.1"
800
+ },
801
+ {
802
+ "bom-ref": "pcissc-sslc-1.1-7.1.4",
803
+ "identifier": "7.1.4",
804
+ "text": "Decisions to use sensitive production data are recorded and reasonably justified.",
805
+ "parent": "pcissc-sslc-1.1-7.1"
806
+ },
807
+ {
808
+ "bom-ref": "pcissc-sslc-1.1-7.2",
809
+ "identifier": "7.2",
810
+ "text": "Sensitive production data is protected when retained on software vendor systems and securely deleted when no longer needed.",
811
+ "parent": "pcissc-sslc-1.1-7",
812
+ "descriptions": [
813
+ "When software vendors collect sensitive production data from their stakeholders—for example, for debugging or other customer support purposes—the vendor should coordinate with its stakeholders to identify which data elements require protection. Vendor stakeholders may have their own definition and associated security requirements for sensitive data, and appropriate protection efforts should be agreed upon by both parties.\n\nWhere the software vendor collects or retains sensitive production data, the software vendor should ensure it is secured—for example, by using robust access control measures and/or strong cryptography with industry- accepted key-management processes. As soon as it is no longer needed for its collected purpose, sensitive production data should be securely deleted such that it is not possible to reconstruct or recover the data from any software vendor system."
814
+ ]
815
+ },
816
+ {
817
+ "bom-ref": "pcissc-sslc-1.1-7.2.1",
818
+ "identifier": "7.2.1",
819
+ "text": "A mature process exists to ensure sensitive production data is protected when retained on software vendor systems and is securely deleted when no longer needed.",
820
+ "parent": "pcissc-sslc-1.1-7.2"
821
+ },
822
+ {
823
+ "bom-ref": "pcissc-sslc-1.1-7.2.2",
824
+ "identifier": "7.2.2",
825
+ "text": "Sensitive production data is not resident on software vendor systems unless appropriate evidence of approval and justification exists.",
826
+ "parent": "pcissc-sslc-1.1-7.2"
827
+ },
828
+ {
829
+ "bom-ref": "pcissc-sslc-1.1-7.2.3",
830
+ "identifier": "7.2.3",
831
+ "text": "Sensitive production data is appropriately protected where it is retained.",
832
+ "parent": "pcissc-sslc-1.1-7.2"
833
+ },
834
+ {
835
+ "bom-ref": "pcissc-sslc-1.1-7.2.4",
836
+ "identifier": "7.2.4",
837
+ "text": "Secure deletion processes or mechanisms are sufficient to render sensitive production data irretrievable.",
838
+ "parent": "pcissc-sslc-1.1-7.2"
839
+ },
840
+ {
841
+ "bom-ref": "pcissc-sslc-1.1-8",
842
+ "identifier": "8",
843
+ "title": "Software Vendor Implementation Guidance",
844
+ "text": "The vendor provides stakeholders with clear and thorough guidance on the secure implementation, configuration, and operation of its software."
845
+ },
846
+ {
847
+ "bom-ref": "pcissc-sslc-1.1-8.1",
848
+ "identifier": "8.1",
849
+ "text": "The software vendor provides stakeholders with clear and thorough guidance on the secure implementation, configuration and operation of its software.",
850
+ "parent": "pcissc-sslc-1.1-8",
851
+ "descriptions": [
852
+ "When followed, the software vendor's implementation guidance provides assurance that the software and patches are securely installed, configured, and maintained in the customer environment, and that all desired security functionality is active and working as intended. "
853
+ ]
854
+ },
855
+ {
856
+ "bom-ref": "pcissc-sslc-1.1-8.1.1",
857
+ "identifier": "8.1.1",
858
+ "text": "A mature process exists to produce, maintain, and make available to stakeholders guidance on the secure implementation, configuration, and operation of its software.",
859
+ "parent": "pcissc-sslc-1.1-8.1"
860
+ },
861
+ {
862
+ "bom-ref": "pcissc-sslc-1.1-8.1.2",
863
+ "identifier": "8.1.2",
864
+ "text": "The implementation guidance includes documentation of all configurable security-related options and parameters for the vendor’s software, and instructions for properly configuring and securing each of those options and parameters.",
865
+ "parent": "pcissc-sslc-1.1-8.1"
866
+ },
867
+ {
868
+ "bom-ref": "pcissc-sslc-1.1-8.2",
869
+ "identifier": "8.2",
870
+ "text": "Secure implementation guidance includes detailed instructions on how to securely install, configure, and maintain all software components and supported platforms.",
871
+ "parent": "pcissc-sslc-1.1-8",
872
+ "descriptions": [
873
+ "The guidance should cover all options and functionality available to software users that could affect the security of the software or the data it interacts with. The guidance should also include secure configuration options for any components provided with or supported by the software, such as external software and underlying platforms.\n\nExamples of configurable options include changing default credentials and passwords; enabling and disabling application accounts, services and features; changes in resource access permissions; integration with third-party cryptographic libraries, random number generators, etc.\n\nFollowing the secure implementation guidance should result in a secure configuration across all configurable options."
874
+ ]
875
+ },
876
+ {
877
+ "bom-ref": "pcissc-sslc-1.1-8.2.1",
878
+ "identifier": "8.2.1",
879
+ "text": "The secure implementation guidance includes instructions on how to securely install or initialize, configure, and maintain the software.",
880
+ "parent": "pcissc-sslc-1.1-8.2"
881
+ },
882
+ {
883
+ "bom-ref": "pcissc-sslc-1.1-8.2.2",
884
+ "identifier": "8.2.2",
885
+ "text": "The secure implementation guidance is sufficiently detailed.",
886
+ "parent": "pcissc-sslc-1.1-8.2"
887
+ },
888
+ {
889
+ "bom-ref": "pcissc-sslc-1.1-8.2.3",
890
+ "identifier": "8.2.3",
891
+ "text": "Evidence exists or is obtained to illustrate that following the secure implementation guidance results in a secure software configuration.",
892
+ "parent": "pcissc-sslc-1.1-8.2"
893
+ },
894
+ {
895
+ "bom-ref": "pcissc-sslc-1.1-8.3",
896
+ "identifier": "8.3",
897
+ "text": "Secure implementation guidance is aligned with software updates.",
898
+ "parent": "pcissc-sslc-1.1-8",
899
+ "descriptions": [
900
+ "As the software vendor is expected to continuously identify, assess, and manage risks to its software, the vendor’s software-change processes should include determining the impact of the change to software vendor guidance. Software changes that impact a configurable feature or option should result in an update to the secure implementation guidance."
901
+ ]
902
+ },
903
+ {
904
+ "bom-ref": "pcissc-sslc-1.1-8.3.1",
905
+ "identifier": "8.3.1",
906
+ "text": "The process to produce and maintain secure implementation guidance includes generation of updated guidance when new software updates are released, or security-related options or parameters are introduced or modified.",
907
+ "parent": "pcissc-sslc-1.1-8.3"
908
+ },
909
+ {
910
+ "bom-ref": "pcissc-sslc-1.1-8.3.2",
911
+ "identifier": "8.3.2",
912
+ "text": "Secure implementation guidance is reviewed at least annually for accuracy even if updates to security-related options and parameters are not issued.",
913
+ "parent": "pcissc-sslc-1.1-8.3"
914
+ },
915
+ {
916
+ "bom-ref": "pcissc-sslc-1.1-9",
917
+ "identifier": "9",
918
+ "title": "Stakeholder Communications",
919
+ "text": "The software vendor maintains communication channels with stakeholders regarding potential security issues and mitigation options."
920
+ },
921
+ {
922
+ "bom-ref": "pcissc-sslc-1.1-9.1",
923
+ "identifier": "9.1",
924
+ "text": "Communication channels are defined and made available for customers, installers, integrators, and other relevant parties to report and receive information on security issues and mitigation options.",
925
+ "parent": "pcissc-sslc-1.1-9",
926
+ "descriptions": [
927
+ "Software vendors should monitor the threat landscape in order to identify new vulnerabilities and security issues that impact their software on the market. Software vendors should also provide open lines of communication to enable researchers or other stakeholders to report newly discovered vulnerabilities in the software vendor’s products and services. Communication channels could include a publicly disclosed e-mail address, website page, or other method to facilitate interactions with external researchers—for example, through a formal bug bounty program. The software vendor should also maintain teams to respond to such reports and drive processes to fix vulnerabilities in the vendor’s software.\n\n"
928
+ ]
929
+ },
930
+ {
931
+ "bom-ref": "pcissc-sslc-1.1-9.1.1",
932
+ "identifier": "9.1.1",
933
+ "text": "A mature process exists to support open, bi- directional communications with stakeholders for reporting and receiving security information regarding the software vendor’s products and services.",
934
+ "parent": "pcissc-sslc-1.1-9.1"
935
+ },
936
+ {
937
+ "bom-ref": "pcissc-sslc-1.1-9.1.2",
938
+ "identifier": "9.1.2",
939
+ "text": "Communication channels provide stakeholders the ability to report security-related issues and to receive timely status updates on their queries.",
940
+ "parent": "pcissc-sslc-1.1-9.1"
941
+ },
942
+ {
943
+ "bom-ref": "pcissc-sslc-1.1-9.1.3",
944
+ "identifier": "9.1.3",
945
+ "text": "The software vendor maintains resources to respond to reports or inquiries regarding the security of the vendor’s products and services.",
946
+ "parent": "pcissc-sslc-1.1-9.1"
947
+ },
948
+ {
949
+ "bom-ref": "pcissc-sslc-1.1-9.2",
950
+ "identifier": "9.2",
951
+ "text": "Stakeholders are notified about security updates in a timely manner.",
952
+ "parent": "pcissc-sslc-1.1-9",
953
+ "descriptions": [
954
+ "In addition to supporting the receipt of information about vulnerabilities within its software products, the software vendor should also issue communications to customers, installers, and integrators to provide information about known vulnerabilities and when fixes will be available. Fixes/patches should be developed and released in a timely manner, based on criticality and in accordance with Requirement 4.2.\n\nSoftware vendor security notifications should include the criticality and potential impact of the vulnerability, as well as clear guidance for addressing the vulnerability⎯for example, how to install a patch or software update. "
955
+ ]
956
+ },
957
+ {
958
+ "bom-ref": "pcissc-sslc-1.1-9.2.1",
959
+ "identifier": "9.2.1",
960
+ "text": "A mature process exists to notify stakeholders about security updates in a timely manner.",
961
+ "parent": "pcissc-sslc-1.1-9.2"
962
+ },
963
+ {
964
+ "bom-ref": "pcissc-sslc-1.1-9.3",
965
+ "identifier": "9.3",
966
+ "text": "Where security updates are not readily available to address known vulnerabilities or exploits, security notifications are issued to all relevant stakeholders to provide instructions for mitigating the risks associated with the known vulnerabilities and exploits.",
967
+ "parent": "pcissc-sslc-1.1-9",
968
+ "descriptions": [
969
+ "Where a fix is not readily available, the software vendor should communicate the risk and provide guidance on mitigation options. Software vendor-initiated communications could include e-mail notifications, website alerts, written notices, social media posts, and any other channels the vendor maintains for stakeholder engagement. Communication channels should be publicized so that stakeholders know how to access them⎯for example, by signing up for e-mail notifications. Software vendor contact information should also be provided for stakeholders to submit further questions regarding security notifications."
970
+ ]
971
+ },
972
+ {
973
+ "bom-ref": "pcissc-sslc-1.1-9.3.1",
974
+ "identifier": "9.3.1",
975
+ "text": "Stakeholders are provided instructions for mitigating the threat, or reducing the likelihood and/or impact of exploitation of known security issues where a timely patch cannot provided.",
976
+ "parent": "pcissc-sslc-1.1-9.3"
977
+ },
978
+ {
979
+ "bom-ref": "pcissc-sslc-1.1-10",
980
+ "identifier": "10",
981
+ "title": "Software Update Information",
982
+ "text": "The software vendor provides stakeholders with detailed explanations of all software changes."
983
+ },
984
+ {
985
+ "bom-ref": "pcissc-sslc-1.1-10.1",
986
+ "identifier": "10.1",
987
+ "text": "Upon release of any software updates, a summary of the specific changes made to the software is provided to stakeholders.",
988
+ "parent": "pcissc-sslc-1.1-10",
989
+ "descriptions": [
990
+ "Release notes should be provided for all software updates, including details of any impact on software functionality and security controls. Informing stakeholders of the impact of a software update enables them to make informed decisions on whether and when to implement it."
991
+ ]
992
+ },
993
+ {
994
+ "bom-ref": "pcissc-sslc-1.1-10.1.1",
995
+ "identifier": "10.1.1",
996
+ "text": "A mature process exists to communicate all software changes to stakeholders upon software updates.",
997
+ "parent": "pcissc-sslc-1.1-10.1"
998
+ },
999
+ {
1000
+ "bom-ref": "pcissc-sslc-1.1-10.1.2",
1001
+ "identifier": "10.1.2",
1002
+ "text": "The process results in a clear and detailed summary of all software changes.",
1003
+ "parent": "pcissc-sslc-1.1-10.1"
1004
+ },
1005
+ {
1006
+ "bom-ref": "pcissc-sslc-1.1-10.1.3",
1007
+ "identifier": "10.1.3",
1008
+ "text": "The change summary information clearly outlines the specific software functionality impacted by the changes.",
1009
+ "parent": "pcissc-sslc-1.1-10.1"
1010
+ },
1011
+ {
1012
+ "bom-ref": "pcissc-sslc-1.1-10.1.4",
1013
+ "identifier": "10.1.4",
1014
+ "text": "Change details are easily accessible to stakeholders.",
1015
+ "parent": "pcissc-sslc-1.1-10.1"
1016
+ },
1017
+ {
1018
+ "bom-ref": "pcissc-sslc-1.1-10.1.5",
1019
+ "identifier": "10.1.5",
1020
+ "text": "Change summary information accurately reflects the changes made to the software.",
1021
+ "parent": "pcissc-sslc-1.1-10.1"
1022
+ }
1023
+ ]
1024
+ }
1025
+ ]
1026
+ }
1027
+ }