PW.8.1—Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used.
PW.8
>Control Description
Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used.
>Practice: PW.8
Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
Help identify vulnerabilities so that they can be corrected before the software is released in order to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities and improves traceability and repeatability. Executable code includes binaries, directly executed bytecode and source code, and any other form of code that an organization deems executable.
>Notional Implementation Examples
- 1.Follow the organization’s policies or guidelines for when code testing should be performed and how it should be conducted (e.g., within a sandboxed environment). This may include third-party executable code and reusable executable code modules written in-house.
- 2.Choose testing methods based on the stage of the software.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
TV.3
BSIMM
PT2.3
EO 14028
4e(ix)
IEC 62443
SVV-1
SVV-2
SVV-3
SVV-4
SVV-5
NIST Labels
2.2.2.2
SAFECode SIC
Peer Reviews and Security Testing
SP 800-53
SP 800-161
SA-11
SP 800-181 (NICE)
SP-DEV-001
SP-DEV-002
T0456
K0013
K0039
K0070
K0153
K0165
+11 more
Ask AI
Configure your API key to use AI features.