CA.3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.

CMMC Practice CA.3.162: Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)

The purpose of the security assessment is to assure the organization that the code has undergone sufficient testing to identify and mitigate errors or vulnerabilities. The review can be performed using static and/or dynamic application security testing tools. Static analysis examines the source code before the program is run. Developers vet the code against a set of rules. By performing static analysis early in the development process the developer can identify specific errors and correct in a timely manner. Dynamic testing executes the code to identify potential execution, memory, and data issues in real-time.Manual code reviews use development teams to review the code against a set of secure development guidelines.