SA-15(7)—Automated Vulnerability Analysis
>Control Description
Require the developer of the system, system component, or system service [Assignment: organization-defined frequency] to: a. Perform an automated vulnerability analysis using [Assignment: organization-defined tools]; b. Determine the exploitation potential for discovered vulnerabilities; c. Determine potential risk mitigations for delivered vulnerabilities; and d. Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles].
>Supplemental Guidance
Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations.