YALE-MSS-8.2: Test for security vulnerabilities when any changes are made to the system

Applications can be complex systems unto themselves--sometimes relying on numerous third-party libraries and often integrating with other services and applications. Changes to an application always bring some risk of unanticipated side-effects, perhaps security-related.

As with all other systems, applications should be fully tested whenever they undergo noteworthy changes. An important part of the change control process, testing can reveal unanticipated security vulnerabilities before an application goes into production.

It is recommended that all application changes be reviewed in a test environment before production deployment. While many options exist for doing this, two important considerations are: the test environment should not be Internet accessible and the entire application should be tested (aka, regression testing).

A range of tools can help test your application for vulnerabilities. Here's a breakdown of the different types.

• Static Application Security Testing (SAST) - SAST Tools scan the source code of an application to find vulnerabilities. Since they don't require the application to be running, they can be used early in the development process.
• Software Composition Analysis (SCA) - SCA Tools analyze an application's third-party components for known vulnerabilities. They can be run at any time.
• Dynamic Application Security Testing (DAST) - DAST Tools scan an application from an attacker’s point-of-view to find vulnerabilities. Because they require the application to be running, they should be used later in the development process.

If you need assistance setting up scans or creating a testing plan, please reach out to information.security@yale.edu.

Please see the guidance in YALE-MSS-5.5 for additional information about testing and change control.