Skip to main content

πŸ’Ό SA-11 Developer Testing and Evaluation

Description​

Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation.

Similar​

  • Internal
    • ID: dec-c-874bb0ca

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SA-11 Developer Testing and Evaluation (M)(H)2
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations10
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό SA-11(1) Developer Testing and Evaluation _ Static Code Analysis
πŸ’Ό SA-11(2) Developer Testing and Evaluation _ Threat Modeling and Vulnerability Analyses
πŸ’Ό SA-11(3) Developer Testing and Evaluation _ Independent Verification of Assessment Plans and Evidence
πŸ’Ό SA-11(4) Developer Testing and Evaluation _ Manual Code Reviews
πŸ’Ό SA-11(5) Developer Testing and Evaluation _ Penetration Testing
πŸ’Ό SA-11(6) Developer Testing and Evaluation _ Attack Surface Reviews
πŸ’Ό SA-11(7) Developer Testing and Evaluation _ Verify Scope of Testing and Evaluation
πŸ’Ό SA-11(8) Developer Testing and Evaluation _ Dynamic Code Analysis
πŸ’Ό SA-11(9) Developer Testing and Evaluation _ Interactive Application Security Testing