Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy control assessments; Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }}; Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; Implement a verifiable flaw remediation process; and Correct flaws identified during testing and evaluation.
family SA
framework nist-800-53
ATT&CK techniques this control defends against
✓ covered by Sigma/YARA in our corpus
× = detection gap
Equivalent controls in other frameworks click any to see its ATT&CK technique mappings
Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that: Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }}; Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }}; Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}.
family SA
framework nist-800-53
Require an independent agent satisfying {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using the following processes, procedures, and/or techniques: {{ insert: param, sa-11.04_odp.02 }}.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to perform penetration testing: At the following level of rigor: {{ insert: param, sa-11.5_prm_1 }} ; and Under the following constraints: {{ insert: param, sa-11.05_odp.03 }}.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to perform attack surface reviews.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: {{ insert: param, sa-11.7_prm_1 }}.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
family SA
framework nist-800-53
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.
family SA
framework nist-800-53