This 3m video features Kyle Lai discussing the CMMC compliance for software companies
CMMC Compliance for Software Companies requirements
Do you develop API’s or applications that are within your CMMC or CUI scope? If yes, you must perform a software or application vulnerability assessment to meet the requirements for CMMC level 3 or above.
CMMC requires a Software Security Assessment
CMMC model version 1.02 practice CA.3.162 requires completion of a software security assessment. 2 common software security testing methodologies are:
- Static Application Security Testing (also known as SAST) for software source code security reviews, and
- Dynamic Application Security Testing (also known as DAST) for web applications
Many companies use agile or DevOps methodology to deploy an API or application quickly. I recognize it is not easy to integrate security into the software development lifecycle (SDLC) or DevOps pipeline. Make it a priority to develop your software securely to prevent attacks or data breaches.
Move beyond a mindset of mere baseline compliance
Don’t just integrate software security for the sake of compliance, train your developers to utilize software testing requirements. I recommend utilizing DAST for testing purposes within smaller companies who have limited internal software development resources. DAST gives fewer false positives. And it is faster for testing and remediation. Importantly, use SAST and DAST as part of a comprehensive software security program if you are a medium to large size company.
You can evaluate interactive application security testing or IAST tools if you have an existing software quality assurance or QA program.
This is important. Open Source vulnerabilities are widespread!
Don’t forget to address Open Source component security. According to a report from Synopsis, about 99% of modern software code has Open Source components. Hundreds of Open Source vulnerabilities are identified and reported every day. Most importantly, keep up to date with the latest versions and patch your software appropriately.
If you use containers to deploy software or applications, patch them continuously with the latest base image and components. Above all, your software is not secure when your hosting container is not secure.
Contact us if you have questions about CMMC and your Software Security Requirements
My name is Kyle Lai, president and Chief Information Security Officer at KLC Consulting. If you have any questions about software security, DevOps, or software security testing requirements for CMMC, please contact us at CMMC@klcconsulting.net or visit our website at klcconsulting.net. Thank you.
To learn how a KLC vCISO can guide you to CMMC compliance please click here