P.4.4 Executable security testing

Control Details

Objective

Discover vulnerabilities only detected through executable testing

Definition

Executable testing, such as done by in-house testers or third-party penetration testers, is performed to find previously-undiscovered vulnerabilities. In-house testers should be guided by design review results, threat modeling, security requirements, and the security mechanisms in security features. Testing should include containers and AI models. Automate security tests as possible. Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system. Test the build process and scripts.

Assessment Questions

1. How are security features tested?
2. How are test cases developed to test the security of an application?
3. How is security testing factored into a product's test suite?
4. How is executable code testing, such as in-house or external penetration testing, used to find vulnerabilities not found by previous reviews, analysis, and testing?
5. How do you conduct executable testing on containers?
6. How do you test your build process, scripts, GitHub actions?

Reference sources

1. EO 4e(iv) 4e(v)
2. SSDF PW.8.1 PW.8.2
3. SSDF-AI PW.8.1 PW.8.2
4. BSIMM ST1.1 ST1.3 ST1.4 ST2.4 ST2.5 ST2.6 ST3.3 ST3.4 ST3.5 ST3.6 PT1.1 PT1.2 PT1.3 PT2.3 PT3.1 CMVM3.4
5. 800-161 SA-11
6. OSSF-Scorecard ci-tests
7. Self-attestation 2 4
8. SAMM G-PC-1-A V-RT-2-A V-RT-2-B V-ST-3-A V-ST-3-B
9. OSPS OSPS-QA-06 OSPS-VM-05 OSPS-VM-06