SA-11(9): Interactive Application Security Testing

CSF v1.1 References:


(Not part of any baseline)

Info icon.

Control is new to this version of the control set.

Control Statement

Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.

Supplemental Guidance

Interactive (also known as instrumentation-based) application security testing is a method of detecting vulnerabilities by observing applications as they run during testing. The use of instrumentation relies on direct measurements of the actual running applications and uses access to the code, user interaction, libraries, frameworks, backend connections, and configurations to directly measure control effectiveness. When combined with analysis techniques, interactive application security testing can identify a broad range of potential vulnerabilities and confirm control effectiveness. Instrumentation-based testing works in real time and can be used continuously throughout the system development life cycle.