>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SA-11 (01)Developer Testing and Evaluation | Static Code Analysis

Moderate
High

>Control Description

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

SA-11 (1) Requirement: The service provider must document its methodology for reviewing newly developed code for the Service in its Configuration Management Plan. If Static code analysis cannot be performed (for example, when the source code is not available), then dynamic code analysis must be performed (see SA-11 (8))

>Discussion

Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses.

Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool.

In such cases, organizations weigh the validity of the evidence against evidence from other sources.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-11(1)?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-11(1)?
  • How is security integrated throughout your system development lifecycle (SDLC)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?
  • What security practices are required at each phase of the SDLC?
  • What secure coding practices and standards are required for developers?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?
  • Can you show evidence of security activities performed during development?
  • Can you provide code review or static analysis results?

Ask AI

Configure your API key to use AI features.