16.13: Conduct Application Penetration Testing
Group:
Control is new to this version of the control set.
Control Statement
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]