>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PW.8.2Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

PW.8

>Control Description

Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

>Practice: PW.8

Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Help identify vulnerabilities so that they can be corrected before the software is released in order to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities and improves traceability and repeatability. Executable code includes binaries, directly executed bytecode and source code, and any other form of code that an organization deems executable.

>Notional Implementation Examples

  1. 1.Perform robust functional testing of security features.
  2. 2.Integrate dynamic vulnerability testing into the project’s automated test suite.
  3. 3.Incorporate tests for previously reported vulnerabilities into the project’s test suite to ensure that errors are not reintroduced.
  4. 4.Take into consideration the infrastructures and technology stacks that the software will be used with in production when developing test plans.
  5. 5.Use fuzz testing tools to find issues with input handling.
  6. 6.If resources are available, use penetration testing to simulate how an attacker might attempt to compromise the software in high-risk scenarios.
  7. 7.Identify and record the root causes of discovered issues.
  8. 8.Document lessons learned from code testing in a wiki that developers can access and search.
  9. 9.Use source code, design records, and other resources when developing test plans.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

TV.3
TV.5
PD.1-4

BSIMM

ST1.1
ST1.3
ST1.4
ST2.4
ST2.5
ST2.6
ST3.3
ST3.4
+6 more

EO 14028

4e(iv)
4e(v)
4e(ix)

IDA SOAR

7
8
10
11
38
39
43
44
+4 more

IEC 62443

SM-5
SM-13
SI-1
SVV-1
SVV-2
SVV-3
SVV-4
SVV-5

NIST IR 8397

2.6
2.7
2.8
2.9
2.10
2.11

ISO 27034

7.3.6

Microsoft SDL

10
11

NIST Labels

2.2.2.2

OWASP MASVS

7.5

OWASP SAMM

ST1-A
ST1-B
ST2-A
ST2-B
ST3-A

PCI SSLC

4.1

SAFECode Agile

Operational Security Tasks 10
11
Tasks Requiring the Help of Security Experts 4
5
6
7

SAFECode FPSSD

Perform Dynamic Analysis Security Testing
Fuzz Parsers
Network Vulnerability Scanning
Perform Automated Functional Testing of Security Features/Mitigations
Perform Penetration Testing

SAFECode SIC

Peer Reviews and Security Testing

SP 800-53

SA-11
SA-11(5)
SA-11(8)
SA-15(7)

SP 800-161

SA-11
SA-11(5)
SA-11(8)
SA-15(7)

SP 800-181 (NICE)

SP-DEV-001
SP-DEV-002
T0013
T0028
T0169
T0176
T0253
T0266
+23 more

Ask AI

Configure your API key to use AI features.