SA-11(05) Penetration Testing

Require the developer of the system, system component, or system service to perform penetration testing:

(a) At the following level of rigor: sa-11.5_prm_1 ; and

(b) Under the following constraints: sa-11.05_odp.03.

Parameter ID Definition
sa-11.5_prm_1 organization-defined breadth and depth of testing
sa-11.05_odp.01 breadth
sa-11.05_odp.02 depth
sa-11.05_odp.03 constraints

Baselines

Guidance

Penetration testing is an assessment methodology in which assessors, using all available information technology product or system documentation and working under specific constraints, attempt to circumvent the implemented security and privacy features of information technology products and systems. Useful information for assessors who conduct penetration testing includes product and system design specifications, source code, and administrator and operator manuals. Penetration testing can include white-box, gray-box, or black-box testing with analyses performed by skilled professionals who simulate adversary actions. The objective of penetration testing is to discover vulnerabilities in systems, system components, and services that result from implementation errors, configuration faults, or other operational weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide a greater level of analysis than would ordinarily be possible. When user session information and other personally identifiable information is captured or recorded during penetration testing, such information is handled appropriately to protect privacy.

Related controls 7