SA-11-727 Developer Security Testing and Evaluation

Developer Security Testing and Evaluation

Control ID

SA-11-727

Control Name

Developer Security Testing and Evaluation

Control Category

Security Assessment and Authorization

Functional Areas

Protect

Sub-Areas

Secure System Services, Acquisition and Development

NIST Baseline Level(s)

MOD, HIGH

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Systems are implemented which are not developed according to internal security standards.

Control Description

The organization requires the developer of the information system, system component, or information system service to: a. Create and implement a security assessment plan; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during security testing/evaluation.

Control Example

Security assessment planning and analysis are a part of the routine code development process.

State Implementation

No statewide control

Testing Procedures

Obtain system and services acquisition policy; procedures addressing information system developer/integrator security testing; acquisition contracts and service level agreements; information system developer/integrator security test plans; records of developer/integrator security testing results for the information system; other relevant documents or records and ascertain if : (I)the organization requires that information system developers (and systems integrators) create a security test and evaluation plan, implement the plan, and document the results.