SA-11 DEVELOPER SECURITY TESTING AND EVALUATION
Page last updated:
Compliance with the requirements defined in this control is a deployer responsibility.
A comprehensive system security assessment plan must include the people, process, and technology.
Within the technology stack, the system security assessment must include in scope the application, as well as the supporting platform, and the infrastructure.
Pivotal Cloud Foundry complies with the requirements defined in this control.
Pivotal performs comprehensive product testing on all Pivotal Cloud Foundry releases, including unit tests, integration tests, system tests, and regression tests. Pivotal issues regular releases to remediate any security vulnerabilities (CVEs) found in Cloud Foundry, and documents the history of all CVE announcements on the corresponding security page of the Pivotal Web site.
When deploying an application on Cloud Foundry, the application developers may inherit the technical and procedural controls provided by PCF, but are responsible for any controls implemented within the application itself, as well as the overall compliance of the full deployment.
The organization requires the developer of the information system, system component, or information system service to:
- Create and implement a security assessment plan;
- Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];
- Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;
- Implement a verifiable flaw remediation process; and
- Correct flaws identified during security testing/evaluation.
Developmental security testing/evaluation occurs at all post-design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.