Principle 16 - Embedded Continious Security Testing

Detail

All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.

Service operations and management processes should provide continuous monitoring and maintenance of system security to acceptable levels by employing frequent and regularly scheduled security testing which is scoped to incrementally include more recently discovered vulnerabilities and missing security patches.

Decision Evaluation Criteria:

• Where a service is being evaluated for acceptance into live service, does the provided service operations processes include frequent and regularly scheduled security testing, thatis scoped to incrementally include more recently discovered vulnerabilities and missing security patches ?
• Do operational service code promotion processes include a security testing cycle of new or modified code as part of the path to live deployment plan ?

Basis

• NIST 29 - Identify and prevent common errors and vulnerabilities
• CSSLP - Embedded Continious Security Testing
• GDS CSP 11 - External interface protection