YALE-MSS-8.2: Test for security vulnerabilities when any changes are made to the system

Applications must be fully tested whenever they undergo changes.

Testing is an important part of the change control process, as it can reveal unanticipated security vulnerabilities before a system goes into production.

When vulnerabilities are found, they must be remediated.

It is recommended that all application changes be reviewed in a test environment before production deployment. While many options exist for doing this, two important considerations are: the test environment should not be Internet accessible and the entire application should be tested (aka, regression testing).

A range of tools can help test your application for vulnerabilities. These can be automated as part of a secure development lifecycle.

• Static Application Security Testing (SAST) - SAST Tools scan the source code of an application to find vulnerabilities. Since they don't require the application to be running, they can be used early in the development process.
• Software Composition Analysis (SCA) - SCA Tools analyze an application's third-party components for known vulnerabilities. They can be run at any time.
• Dynamic Application Security Testing (DAST) - DAST Tools scan an application from an attacker's point-of-view to find vulnerabilities. Because they require the application to be running, they should be used later in the development process.

If you need assistance setting up scans or creating a testing plan, please reach out to information.security@yale.edu.