Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
Explanation
Reviewers want assurance that internally developed software is security-tested, with reviews and analysis to catch vulnerabilities in design, code, and default configurations before release. These processes might include code reviews, static/dynamic application security testing (SAST/DAST), threat modeling, or security-focused quality assurance testing.
Evidence could include documentation of your secure software development lifecycle (SDLC), sample vulnerability assessment reports, screenshots of security testing tools in use, remediation tracking documentation, or a written policy describing your code review and security testing requirements.
Implementation Example
Review, analyze, or test organization-developed software to identify design, coding, and default configuration vulnerabilities
ID: ID.RA-01.149
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Vulnerabilities in assets are identified, validated, and recorded
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?
- Has your organization configured cybersecurity tools to automatically ingest and operationalize threat intelligence feeds?

