# Code Management Code Testing is a [[Foundational Capabilities|Product Development]] capability that [[Cybersecurity]] capabilities directly depend on. Code that is not ready for production from a security standpoint can leak into a product or service and provide adversaries with exploitable opportunities. Finding security defects before they are released is optimal and begin at the inception of code development. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD subgraph two[Foundational] subgraph subPadding1[ ] direction LR F[Application Management] G[Asset Management] H[Backup and Recovery] I[Code Management] J[Data Management] K[Device Management] L[Domain Management] M[Email Management] N[Identity and Access Management] O[Log Management] P[Network Management] Q[Policy Automation] R[Stream Processing] S[Third Party Management] T[Training] F ~~~ G G ~~~ H H ~~~ I I ~~~ J K ~~~ L L ~~~ M M ~~~ N N ~~~ O P ~~~ Q Q ~~~ R R ~~~ S S ~~~ T end end %% Class Definitions %% ===================== class two subPadding; classDef subPadding fill:none,font-size:20px; class subPadding1,subPadding2 subgraph_padding; classDef subgraph_padding stroke:none,fill:none,margin:0; class F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:#333,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T cssClassL1; classDef cssClassL1 fill:gray,stroke:#333,stroke-width:0px,font-size:15px,font-color:white; class I cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Maturity Model | | Stage 1 | Stage 2 | Stage 3 | Stage 4 | Stage 5 | | ------------- | ------- | ------- | ------- | ------- | ------- | | **Category** | | | | | | | **Dependent** | | | | | | ## Requirements | Category | Guidance | Dependent Capability | Adversary Persona | | ------------------------------------- | ---------------------------------------------------------------- | -------------------- | ------------------------------------------------------------ | | **Secure Software Development** | | | [[Script Kiddies]]<br>[[Bug Bounty]]<br>[[Cyber Researcher]] | | **File Integrity Management** | + Check all files for integrity to prevent tampering | | [[Supply Chain]] | | **Secure Software Development** | + Test all software components | | [[Script Kiddies]]<br>[[Bug Bounty]]<br>[[Cyber Researcher]] | | **Software Bill of Materials (SBOM)** | + Develop code provenance<br>+ Verify software component changes | | [[Supply Chain]] | | **Secure Supply Chain** | | | [[Supply Chain]] | ## Metrics >[!cm-metric] Metric: [[% of Security Findings vs. Total Defects]] >[!cm-metric] Metric: [[Fix Rate]] >[!cm-metric] Metric: [[% of Pull Requests that Roll Back Changes]] ## Inspiration & Resources + [<— Shifting Security to the Left — DevSecOps](https://www.devsecops.org/blog/2016/5/20/-security) ## Release Notes + [[WIP - Q3 2024 Release#Document Foundational Capabilities and Develop Templates for sub-pages]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.