Requirement text: CA.3.162: Employ a security assessment of enterprise software that has been
developed internally, for internal use, and that has been organizationally defined as an area of risk.
DISCUSSION FROM SOURCE: CMMC
Creating secure software implementations is difficult and requires extra steps to assess the
code for security related vulnerabilities. Security assessment is a process of reviewing
software source code in order to identify defects or vulnerabilities within an application.
Security assessment may be done using manual or automated techniques.
CMMC CLARIFICATION
The purpose of the security assessment is to assure the organization that the code has
undergone sufficient testing to identify and mitigate errors or vulnerabilities. The review
can be performed using static and/or dynamic application security testing tools. Static
analysis examines the source code before the program is run. Developers vet the code
against a set of rules. By performing static analysis early in the development process the
developer can identify specific errors and correct in a timely manner. Dynamic testing
executes the code to identify potential execution, memory, and data issues in real-time.
Manual code reviews use development teams to review the code against a set of secure
development guidelines.
Example
You are in charge of IT operations for your organization. You have a group of developers
who create internal software applications. Because you develop the software in house, you
make sure the code is reviewed so that code mistakes do not result in vulnerabilities. You
have another software engineer, who is not part of the development team, perform a manual
code review to ensure the software meets standards set by the organization. You do this for
each software update or iteration. You prohibit the software from being run on the
organization’s network until the code review is complete.
References
• CMMC
• CIS Controls v7.1 18.1, 18.2