+PSS-02.02B

1. Übersicht

PSS-02.02B

The procedures for identifying such vulnerabilities are part of the software development process and, depending on a risk assessment, include the following activities:

1. Static Application Security Testing;
2. Dynamic Application Security Testing;
3. Code reviews by the cloud service provider's subject matter experts;
4. Conducting security checks based on a list of software components or Software Bill of Materials (SBOM); and
5. Obtaining information about confirmed vulnerabilities in software libraries provided by third parties and used in their own cloud service.

Known vulnerabilities in externally related system components (e.g. operating systems) used for the development and provision of the cloud service but not going through the cloud service provider's software development process are the subject of criterion OPS-25 (Managing Vulnerabilities, Incidents and Errors - Vulnerability Scans).

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html