SA-11: Developer Testing and Evaluation
From NIST's SP800-53:
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
| ID.SC-3 | Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1647 | Plist File Modification | Defense Evasion |
| T1505 | Server Software Component | Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1559.003 | XPC Services | Execution |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1552.001 | Credentials In Files | Credential Access |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1612 | Build Image on Host | Defense Evasion |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1505.004 | IIS Components | Persistence |
| T1213.003 | Code Repositories | Collection |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1505.002 | Transport Agent | Persistence |
| T1495 | Firmware Corruption | Impact |
| T1552.002 | Credentials in Registry | Credential Access |
| T1601.002 | Downgrade System Image | Defense Evasion |