Cybersecurity Maturity Model Certification (CMMC) Secure Code Review Requirements. This 6+ minute video covers Secure Code Review Requirements for companies who develop and use software in the products they sell.
CMMC Capability C036 – Perform Code Review
A security assessment must be performed when the software is defined as an area of risk. We often hear that secure software development is challenging and requires extra steps to assess the code for security related vulnerabilities. Security assessment is a process of reviewing software source codes in order to identify defects and vulnerabilities.
The purpose of a security assessment is to assure software code receives sufficient testing to identify and mitigate errors and vulnerabilities. The review can be performed using static and/or dynamic application security testing tools. Static analysis examines the source code before the program is run. Developers test the code against a set of rules by performing static analysis early in the software development process. Static analysis enables the developer to identify errors and correct them in a timely manner.
Dynamic testing evaluates software code during execution to identify potential problems. Development teams perform manual reviews to check the code against a set of guidelines.
So what does this all mean?
If you develop software in the products you sell to the DoD, CMMC Secure code review requirements dictate you perform manual or automatic reviews. Establish a secure code review program that fits your development environment to achieve this practice.
What are your options?
Manual secure code reviews and peer reviews are effective but labor intensive. You will assign a developer to review another developer’s code. Basically, if you want to go with an automated static applications security testing tool (SAST), you can find an open source or commercial tool to scan for vulnerabilities. For example, if you are using Python as your programming language, you can use an open source tool like Bandit.
If you want to go with an automated dynamic application security testing tool (DAST), you can find an open source or commercial tool as well. If you are developing API’s, you need to find a tool that can scan and assess your API vulnerabilities as well. In addition, you will want to track and remediate these vulnerabilities. Let’s take a holistic view on software security. To be more effective, you should consider building a software security program instead of just scanning the code.
Suggestions to build a software security program
Consider creating secure coding standards or guidelines for your developers to follow. This is to show your developers how to develop secure code. Next, you want to train your developers to write secure code by following the standards/guidelines you have created. You also want to share the regularly found vulnerabilities with your developers so they can understand the mistakes they have made. Then they will be more careful when developing the certain code next time.
My name is Kyle Lai and I’m the President and Chief Information Security Officer at KLC Consulting. If you have any questions or need any help on CMMC or software security, please contact us at CMMC@klcconsulting.net. Thank you.
To learn more about the Cybersecurity Maturity Model Certification, click here.
To visit the CMMC Accreditation Board website, click here.
Please check out our video about IDOR Vulnerabilities with expert Penetration Tester Chris Centore!