16.12
IG3

Implement Code>Level Security Checks

Control Group: 16. Application Software Security
Asset Type: Applications
Security Function: Protect

Description

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures

Tool Recommendations

Veracode Gartner MQ Leader, Application Security Testing 2024

Application security platform with SAST, DAST, SCA, and developer training for secure software development

Veracode · Per-application subscription
Checkmarx One Gartner MQ Leader, Application Security Testing 2024

Cloud-native application security platform with SAST, SCA, DAST, API security, and supply chain security testing

Checkmarx · Per-developer subscription
Synopsys Software Integrity Gartner MQ Leader, Application Security Testing 2024

Application security testing suite with SAST (Coverity), SCA (Black Duck), and DAST for comprehensive AppSec

Synopsys · Per-developer subscription
Snyk Gartner MQ Visionary, Application Security Testing 2024; Forrester Wave Leader, SCA 2023

Developer-first application security with SCA, container scanning, IaC security, and SAST integrated into CI/CD

Snyk · Per-developer subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Vulnerability Deployed to Production Undetected

Integrity

A cross-site scripting vulnerability is introduced in a code change and deployed to production because no static or dynamic analysis tools are integrated into the CI/CD pipeline to catch it before release.

Hardcoded Secrets Committed to Source Code Repository

Confidentiality

A developer commits API keys and database credentials directly into source code, and they are pushed to a shared repository without detection because no static analysis scans for embedded secrets.

Business Logic Flaw Missed Without Dynamic Testing

Confidentiality

A complex authorization bypass vulnerability exists in a running application but is undetectable through code review alone, and no dynamic analysis tool tests the running application to discover it.

Vulnerabilities (When Safeguard Absent)

No Automated Security Analysis in Development Pipeline

Without SAST and DAST tools integrated into the application lifecycle, security vulnerabilities in code and running applications are not systematically detected before deployment to production.

Manual-Only Code Review for Security

Reliance on manual code review alone without automated static and dynamic analysis tools means coverage is inconsistent and common vulnerability patterns are frequently missed.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Secure Software Development Lifecycle Policy
Control 16
Application Security Policy
Control 16

Related Safeguards in Control 16

16.1 Establish and Maintain a Secure Application DevelopmentĀ Process
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities
16.4 Establish and Manage an Inventory of Third>Party Software Components
16.5 Use Up>to>Date and Trusted Third>Party Software Components
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
16.8 Separate Production and Non>Production Systems
16.9 Train Developers in Application Security Concepts and Secure Coding
16.10 Apply Secure Design Principles in Application Architectures
16.11 Leverage Vetted Modules or Services for Application Security Components
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
16.11 16.13