Code Compliance

Our platform has coverage for the following compliance standards

Meet compliance requirements, conform with leading security standards and reduce cyber risk. Compliance requirements continue to increase, and business partners often require conformance with an accepted security standard, such as NIST or ISO 27000.

With the Nucleaus platform, your team can address compliance requirements related to code and application security with out-of-the-box functionality and workflows that are incorporated into the SDLC and performed prior to the application’s being deployed into the production environment. The Nucleaus platform bundles code scanning and vulnerability assessment capabilities while validating conformance to architectural best practices. With Nucleaus, your teams can stay current with industry trends to ensure code scans address new vulnerabilities.

Nucleaus is built around the NIST compliance standards. When scanning your code we make transparent “when your doors are unlocked and windows open”. This gives you the tools to act against the highest priority risks and protect your assets. With the easy to read console, Nucleaus gives your teams the necessary information to act accordingly to reduce on a continuous basis vulnerabilities in your code.

NIST CSF v1.1

DE.CM-8: Vulnerability scans are performed

ID.RA-1: Asset vulnerabilities are identified and documented

ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources

PR.IP-12: A vulnerability management plan is developed and implemented

RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

 

NIST 800-171

3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

3.14.1 Identify, report, and correct information and system flaws in a timely manner.

NIST CSF v1.0

DE.CM-8: Vulnerability scans are performed

ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources

PR.IP-12: A vulnerability management plan is developed and implemented

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

PCI DSS 3.2

6.1 Establish a process to identify security vulnerabilities by using reputable outside sources for security vulnerability information and assign a risk ranking to newly discovered security vulnerabilities.
6.2 Risk ranking vulnerabilities
11.2 Requires that vulnerability scanning is performed at least quarterly

 

    NIST 800-171

    3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
    3.14.1 Identify, report, and correct information and system flaws in a timely manner.

     

    DFARS Compliance

    The DFARS (Defense Federal Acquisition Regulation Supplement) requires defense contractors to comply with specific cybersecurity requirements detailed in NIST 800-171.

     

      ISO 27002:2013

      A.12.6.1 Technical vulnerability management
      A.14.2.8 Testing the security functionality of the system

       

        ISO 27002:2005

        A.12.6.1 Technical vulnerability management

        A.13.1.2 Identify security mechanisms, service levels, and management requirements related to all network services.
        A.15.2.2 Addressing security within supplier agreements

         

        Critical Security Control

        CWE/SANS TOP 25: The Top 25 Software Errors
        Critical Security Control #3: Continuous Vulnerability Assessment and Remediation

         

          NIST 800-82 rev2

          6.2.16: System and Communications Protection
          6.2.17: System and Information Integrity

           

            OWASP Top Ten

            OWASP Top 10 Links to the full entry data, Data fields for weakness prevalence and consequences, Code examples and Detection Methods

             

            CWE/SANS TOP 25

            CWE/SANS TOP 25: The Top 25 Software Errors

             

                Experience the speed & power of Nucleaus core with full deployment in minutes