ABSTRACT
Before accepting software for deployment into the production environment or release to the customers, it is important to ensure that the software that has been developed or acquired meets required compliance, quality, functional, and assurance (security) requirements. In today’s security landscape, considerations when accepting software must go beyond mere functionality and take security into account as well. Validation and verification (V&V) of just the business functionality are insufficient to accept software for release. It is also critically important to understand the impact that the accepted software will have on the existing computing ecosystem, regardless of whether it has been developed (built) or procured (bought). Security requirements need to be validated and security controls (safeguards and countermeasures) verified by internal and/or independent third party security testing. Software must not be deployed/released until it has been certified and accredited that the residual risk is at the appropriate level. Additionally, in cases where software is procured from an external software publisher, certain nontechnical protection mechanisms need to be in place as acceptance criteria, and these must be validated and verified as well.
