SA-11-727 Developer Security Testing and Evaluation

Developer Security Testing and Evaluation

Developer Security Testing and Evaluation
Security Assessment and Authorization
Secure System Services, Acquisition and Development
Systems are implemented which are not developed according to internal security standards.
The organization requires the developer of the information system, system component, or information system service to: a. Create and implement a security assessment plan; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during security testing/evaluation.
Security assessment planning and analysis are a part of the routine code development process.
No statewide control
Obtain system and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; other relevant documents or records and ascertain if : (I)the organization requires that information system developers (and systems integrators) create a security test and evaluation plan, implement the plan, and document the results.