Require the developer of the system, system component, or system service to perform penetration testing: (a) At the following level of rigor: [Assignment: organization-defined breadth and depth of testing]; and (b) Under the following constraints: [Assignment: organization-defined constraints].
Require the developer of the system, system component, or system service to perform attack surface reviews.
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: [Assignment: organization-defined breadth and depth of testing and evaluation].
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.
[Withdrawn: Moved to SR-6.]
[Withdrawn: Incorporated into SR-3.]
[Withdrawn: Moved to SR-3(1).]
[Withdrawn: Moved to SR-3(2).]
[Withdrawn: Incorporated into SR-5(1).]
Passcode