@@ -107,11 +107,11 @@ If automatable vulnerability scanners are available for the product, then the pr
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, list of vulnerability scanners selected, reports from each scanner, correlation of reports of discovered vulnerabilities with documentation of mitigations
### 5.2.3 TR-SSDD: Secure design and development
### 5.2.3 TR-SSDD: Secure software design and development
#### 5.2.3.1 Requirement
The product shall be designed and developed in a secure manner.
Software shall be designed and developed in a secure manner.
#### 5.2.3.2 MI-SSCA: Static source code analysis for memory errors
@@ -174,7 +174,7 @@ All cybersecurity-relevant software shall be compiled with secure compilation fl
* Applicability: Product implemented in a compiled language
* Reference: TR-SSDD
* Objective: Secure design and development
* Objective: Secure software design and development
* Preparation: Document which flags should be used
* Activities: Review compilation flags, warnings, and documentation for exceptions
* Verdict: Documentation of flags exists, all warnings and exceptions are documented
