SA-11(6)—Developer Security Testing

PBMM (P3)

Secret (P3)

Management

>Control Description

DEVELOPER SECURITY TESTING AND EVALUATION | ATTACK SURFACE REVIEWS The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

>Supplemental Guidance

Attack surfaces of information systems are exposed areas that make those systems more vulnerable to cyber-attacks. This includes any accessible areas where weaknesses or deficiencies in information systems (including the hardware, software, and firmware components) provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers: (i) analyze both design and implementation changes to information systems; and (ii) mitigate attack vectors generated as a result of the changes.

Correction of identified flaws includes, for example, deprecation of unsafe functions.

>Tailoring Guidance

Apply to boundary and other security critical components. For COTS products require 3rd party evaluation such as Common Criteria.

Ask AI

Configure your API key to use AI features.