>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PW.7.1Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.

PW.7

>Control Description

Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.

>Practice: PW.7

Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human-readable.

>Notional Implementation Examples

  1. 1.Follow the organization’s policies or guidelines for when code review should be performed and how it should be conducted. This may include third-party code and reusable code modules written in-house.
  2. 2.Follow the organization’s policies or guidelines for when code analysis should be performed and how it should be conducted.
  3. 3.Choose code review and/or analysis methods based on the stage of the software.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSIMM

CR1.5

EO 14028

4e(iv)
4e(ix)

IEC 62443

SM-5
SI-1
SVV-1

NIST Labels

2.2.2.2

SAFECode SIC

Peer Reviews and Security Testing

SP 800-53

SA-11

SP 800-161

SA-11

SP 800-181 (NICE)

SP-DEV-002
K0013
K0039
K0070
K0153
K0165
S0174

Ask AI

Configure your API key to use AI features.