8.3 Assess the effectiveness of software security

• 8.3.1 Auditing and logging of changes
• 8.3.2 Risk analysis and mitigation

8.4 Assess security impact of acquired software

• 8.4.1 Commercial-off-the-shelf (COTS)
• 8.4.2 Open Source
• 8.4.3 Third-Party
• 8.4.4 Managed Services (e.g.., enterprise applications)
• 8.4.5 Cloud Services (e.g.., SaaS, IaaS, PaaS)