Testing of Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice PW.8: Testing of Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements. Requires an organization to help identify vulnerabilities so that they can be corrected before the software is released in order to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities and improves traceability and repeatability. Executable code includes binaries, directly executed bytecode and source code, and any other form of code that an organization deems executable.
Assessment Steps (2)
|
1
Determination of Suitable Executable Code Tests (DeterminationofSuitableExecutableCodeTests)
Does the organization determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
Design and Implementation of Testing and Defect Remediation Processes (DesignandImplementationofTestingandDefectRemediationProcesses)
Does the organization scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team's workflow or issue tracking system?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (2)
|
Determination of Suitable Executable Code Tests
The organization must determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used.
Citation
SSDF
Task PW.8.1
|
|
Design and Implementation of Testing and Defect Remediation Processes
The organization must scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team's workflow or issue tracking system.
Citation
SSDF
Task PW.8.2
|