Code coverage statistics must be maintained for each release of the application.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-003180

Associated with: CCI-003188

SV-84999r1_rule Code coverage statistics must be maintained for each release of the application.

Vulnerability discussion

This requirement is meant to apply to developers or organizations that are doing application development work.Code coverage statistics describes the overall functionality provided by the application and how much of the source code has been tested during the release cycle.To avoid the potential for testing the same pieces of code over and over again, code coverage statistics are used to track which aspects or modules of the application are tested.Some applications are so large that it is not feasible to test every last bit of the application code on one release cycle. In those instances, it is acceptable to prioritize and identify the modules that are critical to the applications security posture and test those first. Rolling over to test other modules later as resources permit. E.g., testing functionality that performs authentication and authorization before testing printing capabilities.Application developers should keep statistics that show all of the modules of the application and identify which modules were tested and when. This will help testers to keep track of what has been tested and help to verify all functionality is tested.The developer makes sure that flaws are documented in a defect tracking system.If the application is smaller in nature and all aspects of the application can be tested, the code coverage statistics would be 100%.

Check content

If the organization does not do or manage the application development work for the application, this requirement is not applicable. Ask the application representative to provide code coverage statistics maintained for the application. If these code coverage statistics do not exist, this is a finding.

Fix text

Track application testing and maintain statistics that show how much of the application function was tested.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer