en:cs:quality_report

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

en:cs:quality_report [2018/02/11 21:31] – [List of Product Standard Requirements] fraggleen:cs:quality_report [2021/12/27 18:25] (Version actuelle) – modification externe 127.0.0.1
Ligne 69: Ligne 69:
 ===== Product Standards Compliance Process ===== ===== Product Standards Compliance Process =====
  
-The Product Standards (PS) Compliance process is a process in where every SAP product needs to plan, implement, test, and report its fulfillment of the product standard requirements. This process is a lean governance type one. +The Product Standards (PS) Compliance process is a process in where every SAP product needs to plan, implement, test, and report its fulfillment of the product standard requirements. This process is a lean type governance one. 
  
 ==== Governance Model ==== ==== Governance Model ====
Ligne 210: Ligne 210:
 ==== Role of the Product Standard Security requirements ==== ==== Role of the Product Standard Security requirements ====
  
-By introducing the risk-based secure Software Development Lifecycle the product standard security acts as product security knowledge base containing best practices of secure software development and as a threat-library for the program specific risk assessment. The question whether a program needs to comply with a product standard requirement or not depends on the underlying risk that was identified and rated during the risk assessment.  According to the lean governance concept the Product Owner is responsible to ensure an adequate security level in the product by managing risks and mitigations diligently. As a consequence a program can decide which risks can be accepted and which risks need to be partlxy or full mitigated, as long corporate requirements are not violated.+By introducing the risk-based secure Software Development Lifecycle the product standard security acts as product security knowledge base containing best practices of secure software development and as a threat-library for the program specific risk assessment. The question whether a program needs to comply with a product standard requirement or not depends on the underlying risk that was identified and rated during the risk assessment.  According to the lean governance concept the Product Owner is responsible to ensure an adequate security level in the product by managing risks and mitigations diligently. As a consequence a program can decide which risks can be accepted and which risks need to be partly or full mitigated, as long corporate requirements are not violated.
  
 In case of corporate violations in addition an exceptional approval needs to be requested. In case of corporate violations in addition an exceptional approval needs to be requested.
  
-Links to the requirements are provided in the table below ordered by relevant security topics. In addition, further columns of the table indicate if a requirement belongs to (A) Regulatory Compliance (B) Vulnerability Prevention (C) Strategy and Reduction of Attack Surface.+List of the requirements is provided in the table below ordered by relevant security topics. In addition, further columns of the table indicate if a requirement belongs to (A) Regulatory Compliance (B) Vulnerability Prevention (C) Strategy and Reduction of Attack Surface.
  
 ==== List of Product Standard Requirements ==== ==== List of Product Standard Requirements ====
- 
- 
  
 ^ Requirements ^ (A) ^ (B) ^ (C) ^  ^ Requirements ^ (A) ^ (B) ^ (C) ^ 
Ligne 251: Ligne 249:
 | **Authorization** | | | |  | **Authorization** | | | | 
 | SEC-248 - Enforce a secure authorization concept |X|X||  | SEC-248 - Enforce a secure authorization concept |X|X|| 
-| SEC-250 - Provide administration of authorizations based on platform tools | |X| | +| SEC-250 - Provide administration of authorizations based on platform tools | | |X
 | **Secure Data at Rest** | | | |  | **Secure Data at Rest** | | | | 
-| SEC-271 - Protect sensitive data when stored persistently |X|X| +| SEC-271 - Protect sensitive data when stored persistently |X|X
 | SEC-272 - Encrypt sensitive data when stored persistently | |X| | | SEC-272 - Encrypt sensitive data when stored persistently | |X| |
 | **Strong Crypto** | | | |  | **Strong Crypto** | | | | 
 | SEC-266 - Use recommended cryptography only | |X| |  | SEC-266 - Use recommended cryptography only | |X| | 
-| Secure Multi-Tenancy | | | | +**Secure Multi-Tenancy** | | | | 
 | SEC-253 - Implement multi-tenancy support in a secure way | |X| |  | SEC-253 - Implement multi-tenancy support in a secure way | |X| | 
-| SEC-273 - Provide security configuration per tenant in a multi-tenant system | |X| | +| SEC-273 - Provide security configuration per tenant in a multi-tenant system | | |X
 | **Auditing and Logging** | | | |  | **Auditing and Logging** | | | | 
-| SEC-215 - Log security relevant events |X| |  +| SEC-215 - Log security relevant events |X| |  
-| SEC-268 - Log changes to program code and version |X| |   +| SEC-268 - Log changes to program code and version |X| |   
 | **Data Protection & Privacy** | | | | | **Data Protection & Privacy** | | | |
 | SEC-218 (see "Secure Communications") | | | |  | SEC-218 (see "Secure Communications") | | | | 
Ligne 268: Ligne 266:
 | SEC-248 (see "Authorization") | | | | | SEC-248 (see "Authorization") | | | |
 | SEC-271 (see "Secure Data at Rest") | | | | | SEC-271 (see "Secure Data at Rest") | | | |
-| SEC-224 - Capture explicit user consent before collecting any personal data |X|X|  +| SEC-224 - Capture explicit user consent before collecting any personal data |X|X|  
-| SEC-254 - Log read access to sensitive personal data |X|X|  +| SEC-254 - Log read access to sensitive personal data |X|X|  
-| SEC-255 - Provide a retrieval function which can be used to inform the data subjects about the personal data stored about them. |X|X|  +| SEC-255 - Provide a retrieval function which can be used to inform the data subjects about the personal data stored about them. |X|X|  
-| SEC-256 - Erase personal data when all applicable retention periods have expired |X|X|  +| SEC-256 - Erase personal data when all applicable retention periods have expired |X|X|  
-| SEC-265 - Log changes to personal data |X|X| +| SEC-265 - Log changes to personal data |X|X| 
 | **Secure-by-default** | | | | | **Secure-by-default** | | | |
 | SEC-239 - Fail securely | |X| |  | SEC-239 - Fail securely | |X| | 
-| SEC-244 - Deliver with a secure default configuration | |X| |  +| SEC-244 - Deliver with a secure default configuration | | |X|  
-| SEC-275 - Enforce address space layout randomization, executable space protection and buffer overflow protection | |X| |  +| SEC-275 - Enforce address space layout randomization, executable space protection and buffer overflow protection | | |X|  
-| Secure-by-design | | | | +**Secure-by-design** | | | | 
-| SEC-219 - Provide a risk-adequate second line of defense against malicious input from the Internet | |X| |  +| SEC-219 - Provide a risk-adequate second line of defense against malicious input from the Internet | | |X|  
-| SEC-228 - Protect upload, download and display functions of untrusted files against MIME-type sniffing and virus attacks | |X| |  +| SEC-228 - Protect upload, download and display functions of untrusted files against MIME-type sniffing and virus attacks | | |X|  
-| SEC-240 - Implement security functions based on a consistent and documented concept | |X| |  +| SEC-240 - Implement security functions based on a consistent and documented concept | | |X|  
-| SEC-246 - All code delivered shall contribute to documented functionality | |X| |  +| SEC-246 - All code delivered shall contribute to documented functionality | | |X|  
-| SEC-247 - Provide a security guide explaining how to securely setup, configure, and operate | |X| | +| SEC-247 - Provide a security guide explaining how to securely setup, configure, and operate | | |X
-| SEC-258 - Provide separate access to administration functions | |X| |  +| SEC-258 - Provide separate access to administration functions | | |X|  
-| SEC-262 - Do not decrease the security level with updates of security settings or configurations | |X| |  +| SEC-262 - Do not decrease the security level with updates of security settings or configurations | | |X|  
-| SEC-269 - Provide basic compliance with Content Security Policy | |X| |  +| SEC-269 - Provide basic compliance with Content Security Policy | | |X|  
-| SEC-274 - Protect authenticity and integrity of all released executable code and artifacts | |X| |  +| SEC-274 - Protect authenticity and integrity of all released executable code and artifacts | | |X|  
-| SEC-277 - Run with minimal privileges required at all layers | |X| +| SEC-277 - Run with minimal privileges required at all layers | |X|  
 + 
 +There's a wiki page per requirements so Product Owner at SAP can have all the technical details easily.    
 + 
 +==== Corporate requirements ==== 
 + 
 +Corporate Requirements and Corporate Product Standard Requirements explained in context of product security and data protection & privacy: 
 + 
 +=== 1. Corporate Requirements are part of the Global Development Policy === 
 + 
 +SAP has defined a Corporate Requirement Framework as part of the Global Development Policy. 
 + 
 +A corporate requirement in this framework is defined as a rule to protect SAP as a company from material damage by taking into account legal implications, significant business risks and international standards.  
 +The SAP Quality Management (QM) Board approves and enacts the Corporate Requirements. All SAP units including affiliates and acquired companies have to comply with each corporate requirement.  
 + 
 +For Security and Data Protection & Privacy two corporate requirements are relevant: 
 +  * **Develop and Operate Secure Software Products**. The requirement describes verbally all the tasks of the Secure Software Development Lifecycle and the responsibilities of everyone involved in secure product development and also defines when and by whom exceptions need to be requested. 
 +  * **Data Protection & Privacy Compliance**. The requirement describes all mandatory tasks and refers to corporate product standard requirements to be fulfilled in order to get compliant.\\ In particular it mandates: 
 +    * Perform a Data Protection Compliance Evaluation  
 +    * Plan and ensure compliance with the corporate product standard requirements (see below). 
 + 
 +=== 2. Corporate Product Standard Requirements are part of the product standards === 
 + 
 +A Corporate Requirement can also define certain product standard requirements as corporate. That means non-compliance of a corporate product standard requirement leads automatically to non-compliance to the referring Corporate Requirement of the Corporate Requirement Framework. 
 + 
 +For Data Protection & Privacy currently five corporate requirements are defined as part of the Product Standard Security: 
 + 
 +  * SEC-254 - Log read access to sensitive personal data 
 +  * SEC-255 - Provide a retrieval function which can be used to inform the data subjects about the personal data stored about them. 
 +  * SEC-256 - Erase personal data when all applicable retention periods have expired 
 +  * SEC-265 - Log changes to personal data 
 +  * SEC-224 - Capture explicit user consent before collecting any personal data.  
 + 
 +=== 3. Deviations / Non-Compliance === 
 + 
 +In case of deviations of one or more of these corporate product standard requirements an exceptional approval needs to be requested. 
 + 
 +The Global Security Policy is a criticality driven approach. 
 +The Corporate requirement Develop and Operate Secure Software Products defines the following non-compliance: 
 +  * Known open vulnerabilities with CVSS (Common Vulnerability Scoring System) base score >=7.0 are going to be delivered or re-delivered to customers in a new release or support package 
 + 
 +Besides of corporate product standard requirement deviations a corporate requirement non-compliance can also happen in case of a  process violation.
  
 +For Security and DPP (Data Protection & Privacy) this means:
 +  * A Security Validation Report is rated by two stars or less can be considered as a process violation and exceptional approval needs to requested 
  • en/cs/quality_report.1518381072.txt.gz
  • Dernière modification : il y a 3 ans
  • (modification externe)