Applications are comprehensively tested for vulnerabilities, using static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.
Define the scope and design of comprehensive security tests, conduct the tests, and document results within the development workflow or issue tracking system. Conduct functional testing of security features, dynamic vulnerability testing, and tests for previously reported vulnerabilities. Use additional techniques such as fuzz testing, penetration testing, and root cause analysis to strengthen security. Document all issues, remediations, and lessons learned, and use resources like source code and design records to inform ongoing test planning.
Embed security testing as a parallel process across all phases of the development lifecycle, from requirement analysis to design and construction. Avoid concentrating testing efforts at a single stage, such as pre-release, by integrating automated, low-friction security tests early into development tools and CI/CD pipelines. Early detection reduces remediation costs and ensures rapid resolution of vulnerabilities. Proactively enhance security testing by propagating insights from prior testing activities. For instance, if penetration tests reveal session management issues, these insights should trigger focused retesting before code changes are deployed to production. Utilize a combination of automated and manual tests, guided by security champions and centralized secure software groups, to ensure thorough coverage. Continuously document test outcomes, remediations, and lessons learned, and integrate these insights into organizational playbooks to improve the efficiency and efficacy of future tests. Address unremediated risks collaboratively with stakeholders by establishing actionable timelines and accountability for resolution. Through this approach, maintain robust, scalable security practices across the development lifecycle.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-04-01-01 | Integrate security testing at all stages | Run SAST tools during pull requests in GitHub and integrate DAST tools into post-build tests for applications. | Development | Security team, Development teams |
| SSS-02-10-04-01-02 | Continuously triage and prioritize issues | Automate severity scoring using CVSS in JIRA and assign critical issues for immediate resolution to development teams. | Development | DevOps team, Security champions |
| SSS-02-10-04-01-03 | Propagate security test results proactively | After a penetration test highlights SQL injection vulnerabilities, add specific SQL injection tests to automated scanning tools. | Deployment | Security team, Development managers |
| SSS-02-10-04-01-04 | Continuously review and enhance testing efforts | Update the organization's secure coding guidelines with new insights from recent security test findings. | Deployment | Security champions, Security team |
| SSS-02-10-04-01-05 | Establish accountability for accepted risks | Use an internal dashboard to track accepted risks and associated deadlines, with regular reminders for stakeholders and managers. | Post-deployment | Development managers, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (PW.8.2) OWASP SAMM: Software Assurance Maturity Model (V-ST-3-B) |