+PSS-02 Identification of Vulnerabilities of the Cloud Service
---+PSS-02.01B
---+PSS-02.02B
---+PSS-02.03B
---+PSS-02.01AC
|
1. Übersicht
PSS-02 Identification of Vulnerabilities of the Cloud Service
-
| Bezeichnung |
Standard |
|
PSS-02.01B
|
The cloud service provider applies appropriate measures to check the cloud service for vulnerabilities which might have been integrated into the cloud service during the software development process.
Known vulnerabilities in externally related system components (e.g. operating systems) used for the development and provision of the cloud service but not going through the cloud service provider's software development process are the subject of criterion OPS-25 (Managing Vulnerabilities, Incidents and Errors - Vulnerability Scans).
|
|
PSS-02.02B
|
The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities:
1. Static Application Security Testing;
2. Dynamic Application Security Testing;
3. Code reviews by the cloud service provider's subject matter experts;
4. Conducting security checks based on a list of software components or Software Bill of Materials (SBOM); and
5. Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service.
Known vulnerabilities in externally related system components (e.g. operating systems) used for the development and provision of the cloud service but not going through the cloud service provider's software development process are the subject of criterion OPS-25 (Managing Vulnerabilities, Incidents and Errors - Vulnerability Scans).
|
|
PSS-02.03B
|
The severity of identified vulnerabilities is assessed according to defined criteria and measures are taken to immediately eliminate or mitigate them.
Known vulnerabilities in externally related system components (e.g. operating systems) used for the development and provision of the cloud service but not going through the cloud service provider's software development process are the subject of criterion OPS-25 (Managing Vulnerabilities, Incidents and Errors - Vulnerability Scans).
|
|
PSS-02.01AC
|
The procedures for identifying such vulnerabilities also include annual code reviews or security penetration tests by qualified external third parties.
Known vulnerabilities in externally related system components (e.g. operating systems) used for the development and provision of the cloud service but not going through the cloud service provider's software development process are the subject of criterion OPS-25 (Managing Vulnerabilities, Incidents and Errors - Vulnerability Scans).
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|