Skip to content
This repository was archived by the owner on Apr 3, 2025. It is now read-only.

Update control-16.12.rst #53

Open
planetlevel wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update control-16.12.rst #53

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Update control-16.12.rst 
Add support for interactive application security testing (IAST) tools as supported in other standards, including:
* NIST 800-53
* NIST Minimum Standard for Application Security Testing
* PCI Software Security Standard (PCI SSS)
* Monetary Authority of Singapore Technology Risk Management Standard (TRM)
* GSA Application Security Testing (AST) Buyers Guide
* OWASP DevSecOps Guide
* Open Software Application Maturity Model (OpenSAMM)
* OWASP Top Ten 2021

See DZone for more information on IAST -- https://dzone.com/refcardz/introduction-to-iast
  • Loading branch information
@planetlevel
planetlevel authored Oct 25, 2024
commit 16b814889e889b0fca889f3fdc7e913433fc18ce
19 changes: 17 additions & 2 deletions control-16/control-16.12.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
16.12: Implement Code-Level Security Checks
=========================================================
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.
Apply static, dynamic, or interactive analysis tools within the application life cycle to verify that secure coding practices are being followed.

.. list-table::
:header-rows: 1
Expand Down Expand Up @@ -31,14 +31,19 @@ Operations
#. For each software identified in Operation 1, determine if it is verified by a dynamic tool identified in Operation 4
#. Identify and enumerate software verified by a dynamic tool (M4)
#. Identify and enumerate software not verified by a dynamic tool (M5)

#. Use Input 1 :code:`GV5` to identify interactive analysis tools
#. For each software identified in Operation 1, determine if it is verified by an interactive tool identified in Operation 6
#. Identify and enumerate software verified by an interactive tool (M6)
#. Identify and enumerate software not verified by an interactive tool (M7)
Measures
--------
* M1 = Count of in-house developed software
* M2 = Count of in-house developed software verified by a static analysis tool
* M3 = Count of in-house developed software not verified by a static analysis tool
* M4 = Count of in-house developed software verified by a dynamic analysis tool
* M5 = Count of in-house developed software not verified by a dynamic analysis tool
* M6 = Count of in-house developed software verified by an interactive analysis tool
* M7 = Count of in-house developed software not verified by an interactive analysis tool

Metrics
-------
Expand All @@ -63,6 +68,16 @@ Dynamic Analysis Tool Coverage
* - **Calculation**
- :code:`M4 / M1`

Interactive Analysis Tool Coverage
^^^^^^^^^^^^^^^^
.. list-table::

* - **Metric**
- | The percentage of in-house developed software verified by an
| interactive analysis tool
* - **Calculation**
- :code:`M6 / M1`

.. history
.. authors
.. license