Current Requirement

The VNF SHOULD have source code scanned using scanning tools (e.g., Fortify) and provide reports.

Proposed Requirement

The VNF provider MUST follow GSMA vendor practices, and <others> when developing the VNF in order to minimize the risk of vulnerabilities. See GSMA NESAS Network Equipment Security Assurance Scheme – Development and Lifecycle Security Requirements Version 1.0 (https://www.gsma.com/security/wp-content/uploads/2019/11/FS.16-NESAS-Development-and-Lifecycle-Security-Requirements-v1.0.pdf) and SEI CERT Coding Standards (https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards).

NOTE: Samuli will provide list of references