SA-11: Developer Testing and Evaluation
Control Family:
Baselines:
- Low
N/A
- Moderate
- SA-11
- High
- SA-11
- Privacy
- SA-11
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SA-11: Developer Security Testing And Evaluation
Control Statement
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:
- Develop and implement a plan for ongoing security and privacy assessments;
- Perform [Assignment (one or more): unit, integration, system, regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage];
- Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
- Implement a verifiable flaw remediation process; and
- Correct flaws identified during testing and evaluation.
Supplemental Guidance
Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes-including upgrading or replacing applications, operating systems, and firmware-may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.
Developers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation.
Control Enhancements
SA-11(1): Static Code Analysis
Baseline(s):
Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
SA-11(2): Threat Modeling and Vulnerability Analyses
Baseline(s):
Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: [Assignment: organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels]; Employs…
SA-11(3): Independent Verification of Assessment Plans and Evidence
Baseline(s):
Require an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
SA-11(4): Manual Code Reviews
Baseline(s):
Require the developer of the system, system component, or system service to perform a manual code review of [Assignment: organization-defined specific code] using the following processes, procedures, and/or techniques: [Assignment: organization-defined processes, procedures, and/or techniques].
SA-11(5): Penetration Testing
Baseline(s):
Require the developer of the system, system component, or system service to perform penetration testing: At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and Under the following constraints: [Assignment: organization-defined constraints].
SA-11(6): Attack Surface Reviews
Baseline(s):
Require the developer of the system, system component, or system service to perform attack surface reviews.
SA-11(7): Verify Scope of Testing and Evaluation
Baseline(s):
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].
SA-11(8): Dynamic Code Analysis
Baseline(s):
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
SA-11(9): Interactive Application Security Testing
Baseline(s):
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.