>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PW.7.2Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

PW.7

>Control Description

Perform the code review and/or code analysis based on the organization’s secure coding standards, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

>Practice: PW.7

Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

Help identify vulnerabilities so that they can be corrected before the software is released to prevent exploitation. Using automated methods lowers the effort and resources needed to detect vulnerabilities. Human-readable code includes source code, scripts, and any other form of code that an organization deems human-readable.

>Notional Implementation Examples

  1. 1.Perform peer review of code, and review any existing code review, analysis, or testing results as part of the peer review.
  2. 2.Use expert reviewers to check code for backdoors and other malicious content.
  3. 3.Use peer reviewing tools that facilitate the peer review process, and document all discussions and other feedback.
  4. 4.Use a static analysis tool to automatically check code for vulnerabilities and compliance with the organization’s secure coding standards with a human reviewing the issues reported by the tool and remediating them as necessary.
  5. 5.Use review checklists to verify that the code complies with the requirements.
  6. 6.Use automated tools to identify and remediate documented and verified unsafe software practices on a continuous basis as human-readable code is checked into the code repository.
  7. 7.Identify and document the root causes of discovered issues.
  8. 8.Document lessons learned from code review and analysis in a wiki that developers can access and search.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

TV.2
PD.1-4

BSIMM

CR1.2
CR1.4
CR1.6
CR2.6
CR2.7
CR3.4
CR3.5

EO 14028

4e(iv)
4e(v)
4e(ix)

IDA SOAR

3
4
5
14
15
48

IEC 62443

SI-1
SVV-1
SVV-2

NIST IR 8397

2.3
2.4

ISO 27034

7.3.6

Microsoft SDL

9
10

NIST Labels

2.2.2.2

OWASP ASVS

1.1.7
10

OWASP MASVS

7.5

OWASP SAMM

IR1-B
IR2-A
IR2-B
IR3-A

PCI SSLC

3.2
4.1

SAFECode Agile

Operational Security Tasks 4
7
Tasks Requiring the Help of Security Experts 10

SAFECode FPSSD

Use Code Analysis Tools to Find Security Issues Early
Use Static Analysis Security Testing Tools
Perform Manual Verification of Security Features/Mitigations

SAFECode SIC

Peer Reviews and Security Testing

SP 800-53

SA-11
SA-11(1)
SA-11(4)
SA-15(7)

SP 800-161

SA-11
SA-11(1)
SA-11(4)
SA-15(7)

SP 800-181 (NICE)

SP-DEV-001
SP-DEV-002
T0013
T0111
T0176
T0267
T0516
K0009
+18 more

Ask AI

Configure your API key to use AI features.