PW.4.4: Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.
Example 1: Regularly check whether there are publicly known vulnerabilities in the software modules and services that vendors have not yet fixed.
Example 2: Build into the toolchain automatic detection of known vulnerabilities in software components.
Example 3: Use existing results from commercial services for vetting the software modules and services.
Example 4: Ensure that each software component is still actively maintained and has not reached end of life; this should include new vulnerabilities found in the software being remediated.
Example 5: Determine a plan of action for each software component that is no longer being maintained or will not be available in the near future.
Example 6: Confirm the integrity of software components through digital signatures or other mechanisms.
Example 7: Review, analyze, and/or test code. See PW.7.1, PW.7.2, PW.8.1 and PW.8.2.
CMMI Maturity
Description
Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.