Navigate

Check: APSC-DV-003180

Application Security and Development STIG: APSC-DV-003180 (in versions v5 r3 through v4 r2)

Title

Code coverage statistics must be maintained for each release of the application. (Cat III impact)

Discussion

This requirement is meant to apply to developers or organizations that are doing application development work. Code coverage statistics describes the overall functionality provided by the application and how much of the source code has been tested during the release cycle. To avoid the potential for testing the same pieces of code over and over again, code coverage statistics are used to track which aspects or modules of the application are tested. Some applications are so large that it is not feasible to test every last bit of the application code on one release cycle. In those instances, it is acceptable to prioritize and identify the modules that are critical to the applications security posture and test those first. Rolling over to test other modules later as resources permit. E.g., testing functionality that performs authentication and authorization before testing printing capabilities. Application developers should keep statistics that show all of the modules of the application and identify which modules were tested and when. This will help testers to keep track of what has been tested and help to verify all functionality is tested. The developer makes sure that flaws are documented in a defect tracking system. If the application is smaller in nature and all aspects of the application can be tested, the code coverage statistics would be 100%.

Check Content

If the organization does not do or manage the application development work for the application, this requirement is not applicable. Ask the application representative to provide code coverage statistics maintained for the application. If these code coverage statistics do not exist, this is a finding.

Fix Text

Track application testing and maintain statistics that show how much of the application function was tested.

Additional Identifiers

Rule ID: SV-222649r879887_rule

Vulnerability ID: V-222649

Group Title: SRG-APP-000516

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	The organization implements the security configuration settings.
CCI-003188	The organization defines the specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review using organization-defined process, procedures, and/or techniques.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CM-6	Configuration Settings
SA-11 (4)	Manual Code Reviews