Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
The purpose of the security assessment is to assure the organization that the code has undergone sufficient testing to identify and mitigate errors or vulnerabilities. The review can be performed using static and/or dynamic application security testing tools. Static analysis examines the source code before the program is run. Developers vet the code against a set of rules. By performing static analysis early in the development process the developer can identify specific errors and correct in a timely manner. Dynamic testing executes the code to identify potential execution, memory, and data issues in real-time. Manual code reviews use development teams to review the code against a set of secure development guidelines. Example You are in charge of IT operations for your organization. You have a group of developers who create internal software applications. Because you develop the software in house, you make sure the code is reviewed so that code mistakes do not result in vulnerabilities. You have another software engineer, who is not part of the development team, perform a manual code review to ensure the software meets standards set by the organization. You do this for each software update or iteration. You prohibit the software from being run on the organization’s network until the code review is complete.
CMMC Creating secure software implementations is difficult and requires extra steps to assess the code for security related vulnerabilities. Security assessment is a process of reviewing software source code in order to identify defects or vulnerabilities within an application. Security assessment may be done using manual or automated techniques.
CIS Controls v7.1 18.1, 18.2
CA.3.162.[a] the organization reviews internally developed software for risks;
CA.3.162.[b] for the code that is defined as an area of risk, the organization has documented the security assessment process which may include one or more of the following: manual code review, static analysis, and/or dynamic analysis;
CA.3.162.[c] the organization has the ability to demonstrate their security assessment process; and
CA.3.162.[d] the security assessment process is integrated with the change management process.
CA.3.162.[a] the contractor establishes and maintains a plan that provides oversight for implementing the policies required in CA.2.999;
CA.3.162.[b] the plan includes a mission and/or vision statement;
CA.3.162.[c] the plan includes strategic goals/objectives;
CA.3.162.[d] the plan includes relevant standards and procedures;
CA.3.162.[e] the plan documents the activities, due dates, and resources (e.g., funding, people, tools) assigned to implement and manage the policies required in CA.2.999;
CA.3.162.[f] people resources are assigned to support implementing the policies required in CA.2.999 and staff members have the appropriate knowledge, skills, and abilities to carry out their duties;
CA.3.162.[h] funding resources are defined and assigned to fully execute implementing the policies required in CA.2.999 to include proper oversight, execution, and maintenance;
CA.3.162.[i] specific tools required to implement the policies required in CA.2.999 are provided and people resources are adequately trained to use these tools; and
CA.3.162.[j] relevant stakeholders are involved in resourcing activities.
CA.3.162.Establish, maintain, and resource a plan that includes Security Assessment.