IBM Cloud Docs
SA-15 - Development Process, Standards, and Tools

SA-15 - Development Process, Standards, and Tools

Control requirements

The organization:

SA-15 (a)
Requires the developer of the information system, system component, or information system service to follow a documented development process that:
  1. Explicitly addresses security requirements;
  2. Identifies the standards and tools used in the development process;
  3. Documents the specific tool options and tool configurations used in the development process; and
  4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
SA-15 (b)
Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization-defined security requirements].

Additional IBM Cloud for Financial Services specifications

  • Documentation for the organization's application should contain self-documenting (or self-describing) source code and user interfaces and follow naming conventions and structured programming conventions that enable use of the system without prior specific knowledge. The purpose of this self-explanatory design principle is to make source code easier to read, understand, and maintain, and reduce the need for users/developers to consult external documentation sources such as code comments and software manuals.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Rules for SA-15 in IBM Cloud for Financial Services v1.2.0 profile
Requirement ID Rules
SA-15 (a)
  • Check whether DevSecOps Toolchain scans build artifacts to identify vulnerabilities
  • Check whether DevSecOps Toolchain verifies source code branch protection rules to enforce security policies
  • Check whether DevSecOps Toolchain validates code against Center for Internet Security (CIS) Docker benchmarks to ensure container runtimes are configured securely
  • Check whether DevSecOps Toolchain passes dynamic code scan to identify vulnerabilities in deployed artifacts
  • Check whether DevSecOps Toolchain scans source code and their dependencies to identify vulnerabilities
  • Check whether DevSecOps Toolchain source code contains no secrets
  • Check whether DevSecOps Toolchain passes static code scan to identify vulnerabilities in source code
  • Check whether DevSecOps Toolchain collects software bills of materials (SBOM) to provide transparency in build artifacts
  • Check whether DevSecOps Toolchain passes unit tests to validate all code changes
  • Check whether DevSecOps Toolchain passes acceptance tests to validate every deployment
  • Check whether DevSecOps Toolchain signs build artifacts to attest their provenance
  • Check whether DevSecOps Toolchain deployment has approved change documentation including security impact analysis

NIST supplemental guidance

Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.