NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-11(5) — Penetration Testing
Require the developer of the system, system component, or system service to perform penetration testing: At the following level of rigor: {{ insert: param, sa-11.5_prm_1 }} ; and Under the following constraints: {{ insert: param, sa-11.05_odp.03 }}.
Supplemental Guidance
Penetration testing is an assessment methodology in which assessors, using all available information technology product or system documentation and working under specific constraints, attempt to circumvent the implemented security and privacy features of information technology products and systems. Useful information for assessors who conduct penetration testing includes product and system design specifications, source code, and administrator and operator manuals. Penetration testing can include white-box, gray-box, or black-box testing with analyses performed by skilled professionals who simulate adversary actions. The objective of penetration testing is to discover vulnerabilities in systems, system components, and services that result from implementation errors, configuration faults, or other operational weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide a greater level of analysis than would ordinarily be possible. When user session information and other personally identifiable information is captured or recorded during penetration testing, such information is handled appropriately to protect privacy.
Practitioner Notes
Penetration testing by the development team (or on behalf of the development team) tests the running application for vulnerabilities by simulating real attacks.
Example 1: Require the development team to conduct penetration testing before each major release. At minimum, test for the OWASP Top 10 vulnerabilities: injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfigurations, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging.
Example 2: Use OWASP ZAP or Burp Suite in the CI/CD pipeline to run automated penetration tests against each staging deployment. Configure the tool to test for SQL injection, XSS, CSRF, and authentication bypass. Fail the deployment if critical findings are detected.