Description
The organization requires that information system developers create a security test and evaluation plan, implement the plan, and document the results.
Changes from Rev 4
Title changed from 'Developer Security Testing and Evaluation' Control text adds 'ongoing' and 'privacy' New parameter to specify frequency Discussion expanded to include privacy considerations
MITRE ATT&CK Techniques (34)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Initial Access 6 Execution 1 Persistence 14 Privilege Escalation 6 Defense Evasion 18 Credential Access 7 Collection 1 Impact 1
Show all 34 techniques grouped by tactic
Initial Access
Execution
Persistence
T1078 Valid Accounts T1505 Server Software Component T1542 Pre-OS Boot T1078.001 Default Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1505.001 SQL Stored Procedures T1505.002 Transport Agent T1505.004 IIS Components T1542.001 System Firmware T1542.003 Bootkit T1542.004 ROMMONkit T1542.005 TFTP Boot T1574.002 DLL Side-Loading
Privilege Escalation
Defense Evasion
T1078 Valid Accounts T1542 Pre-OS Boot T1553 Subvert Trust Controls T1601 Modify System Image T1612 Build Image on Host T1647 Plist File Modification T1078.001 Default Accounts T1078.003 Local Accounts T1078.004 Cloud Accounts T1134.005 SID-History Injection T1542.001 System Firmware T1542.003 Bootkit T1542.004 ROMMONkit T1542.005 TFTP Boot T1553.006 Code Signing Policy Modification T1574.002 DLL Side-Loading T1601.001 Patch System Image T1601.002 Downgrade System Image
Credential Access
Collection
Impact
Compliance Mappings
ISO 27001:2022
A.8.25A.8.28A.8.29A.8.30A.8.31A.8.33
ISO 27002:2022
8.258.268.288.298.308.318.33
COBIT 2019
APO11BAI03BAI07
CIS Controls v8
CIS 16CIS 16.12CIS 16.13CIS 16.2CIS 16.3CIS 16.8
NIST CSF 2.0
PR.PS-06
SOC 2 TSC
CC4.1-POF1
PCI DSS v4.0.1
6.26.2.36.4
CSA CCM v4
AIS-02AIS-03AIS-04AIS-05AIS-07CCC-02TVM-05
CSA AICM v1
AIS-02AIS-03AIS-04AIS-05AIS-07AIS-09AIS-10AIS-13AIS-15CCC-02MDS-03MDS-08TVM-05TVM-12
ISO 42001:2023
A.6.2.4
NIS2 Directive
Art. 21(2)(e)
MAS TRM
6
BSI IT-Grundschutz
APP.3.1OPS.1.1.6
ANSSI
Hygiene.31Hygiene.33SecNumCloud.15.5
FINMA Circular 2023/1
IV.A(36)IV.A(37)IV.D(75)IV.D(76)
OSFI B-13
B-13.3.2B-13.3.5
EU GDPR
Art.25(1)Art.32(1)(d)
EU DORA
Art.25(1)Art.25(2)Art.9(4)(e)
BIO2
8.258.268.288.298.308.318.33
RBI CSF
Annex1.6Annex1.18
FISC Security Guidelines
FISC.O10FISC.T6
LGPD + BCB 4893
BCB.Art.10
HKMA TM-E-1
TME1.3.2TME1.3.3
MLPS 2.0
8.1.9.48.1.9.5
DNB Good Practice
DNB.10.3DNB.10.4DNB.22.1
EU CRA
CRA.I.1CRA.I.2aCRA.II.2CRA.II.3
SWIFT CSCF
SWIFT.2.10
SAMA CSF
3.2
NCA ECC
1-62-102-112-142-3
UAE IA
T10T7
CBB TM
TM-7
Qatar NIA
SD
CBUAE
CR-6
CBE CSF
CTO-4
SA JS2
JS2-7.7JS2-SA
CBN CSF
Part5.2
BoG CISD
CISD-IXCISD-SDLC
BoM CTRM
3.11
IOSCO Cyber Resilience
PROT-6SA-3TEST-1TEST-3
BCBS 239
Principle 3Principle 7
CPMI-IOSCO PFMI
CG.TEPFMI.P17
FFIEC IS
II.C.15(b)II.C.17IV.AIV.A.2
NYDFS 500
500.5500.8
ECB CROE
CROE.2.3.4CROE.2.6.1
EBA ICT Guidelines
3.4.63.6.2
SEBI CSCRF
PR.ASPR.IP
BOT Cyber Resilience
Ch2.5
TSA Pipeline SD
SD-2 Sec G
IEEE 1686-2022
5.10
PCI PTS v6
F
FIPS 140-3
FIPS 140-3 §7.11FIPS 140-3 §7.12FIPS 140-3 §7.5
Common Criteria
CC Part 2 — FPTCC Part 3 — SARCEM
ISAE 3402
Clause 4
Solvency II
EIOPA-ICT-4.11
Lloyd's Minimum Standards
BP2.1MS8.11MS8.4
NAIC Insurance Data Security
4-config
PRA SS1/23
P3.3P4.2P4.3
FCA SYSC 13
SYSC 13.7.1SYSC 13.7.4
HITRUST CSF v11
09.b10.b10.d
FDA 21 CFR Part 11
§11.10(a)§11.10(f)
FDA Cybersecurity Guidance
524B-4CRA-1PU-1ST-1ST-2ST-3ST-4TM-1
ISO 27799
14.214.3
OWASP MASVS v2.1
MASVS-PLATFORM-2MASVS-CODE-3MASVS-CODE-4MASVS-RESILIENCE-1
CCSS v9.0
1.02.7
Basel SCO60
SCO60.14SCO60.21SCO60.51SCO60.52
BSSC Standards
NOS-02TIS-02TIS-04GSP-08GSP-15