This past March, the National Institute of Standards and Technology (NIST) released the NIST Special Publication 800-53, Revision 5, which was their final public draft revision. According to the abstract, “This publication provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks… The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk.”
In the context of software security, in section SA-11, DEVELOPER TESTING AND EVALUATION beginning on page 267, this control requires the developer of the system, system component, or system service, at all post-design stages of system development life cycle to:
- Develop and implement a plan for ongoing security and privacy assessments;
- Perform testing/evaluation;
- Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
- Implement a verifiable flaw remediation process;
- Correct flaws identified during testing and evaluation.
- STATIC CODE ANALYSIS
- THREAT MODELING AND VULNERABILITY ANALYSIS
- INDEPENDENT VERIFICATION OF ASSESSMENT PLANS AND EVIDENCE
- MANUAL CODE REVIEWS
- PENETRATION TESTING
- ATTACK SURFACE REVIEWS
- VERIFY SCOPE OF TESTING AND EVALUATION
- DYNAMIC CODE ANALYSIS
- INTERACTIVE CODE ANALYSIS