Design - Security Requirements - Supplier Security Criterion for ML 3

[mufambisi]

One of the criterion for maturity level 3 reads:

"The vendor has a secure SDLC that includes secure build, secure deployment, defect management, and incident management that align with those used in your organization"

I do not think the vendors SDLC practices necessarily has to align with those used in your organization as your organisation may be of a lesser maturity and vendors may have many customers with varying processes. As in indication of maturity of the vendor, I would suggest a criterion along the lines of:

"_The vendor has a secure SDLC that includes secure build, secure deployment, defect management, and incident management and is able to demonstrate operating effectiveness of practices." The criterion has to be independent of my own organizations practices.

Happy to hear your thoughts on this.

[johnellingsworth]

"Demonstrating operating effectiveness" is a very good suggestion. It is not critical that the criterion align with your organization, but they should be acceptable. Recommend updating the criterion to:

“The vendor has a secure SDLC that includes secure build, secure deployment, defect management, and incident management, meets the security expectations of your organization, and is able to demonstrate operating effectiveness of practices.”

[23bartman]

I've created a fix to include the new suggestion.