SA-12(7) — Assessments Prior to Selection / Acceptance / Update

Assess the security of components before selecting them, before accepting delivery, and before installing updates. Each stage is an opportunity for compromise.

Example 1: Before selecting a new software component, review its security track record: check CVE databases for past vulnerabilities, review the vendor's patching history, and evaluate their security certifications. A product with a history of critical vulnerabilities and slow patches is a higher risk.

Example 2: Before installing vendor updates, verify the update's digital signature and hash against the vendor's published values. Test updates in a non-production environment first to verify they do not introduce security regressions. Only deploy to production after successful testing.