CM-19 Change Management
Application Security Testing & Pen Test
Applications are tested for security pre/post release.
- Domain
- Change Management
- Control type
- Detective
- Automated / manual
- Hybrid
- Frequency
- Per release + annual
- Framework reference
- MAS TRM – SDLC; Cyber Hygiene
What good looks like
SAST/DAST before release and periodic pen testing; findings tracked and remediated.
Risk if it fails
Vulnerabilities released/persisting in production.
How Tess tests it
4 tests — each concludes only on cited evidence.
Security-testing cadence defined (incl. pen test)
Design- Procedure
- Inspect the cadence.
- Expected
- Defined.
- Sample
- 1 (design inspection)
- Evidence
- Pen-test reports, scan results, remediation register.
Pre-release security testing performed
Operating- Procedure
- Sample releases.
- Expected
- Tested before release.
- Sample
- 1
- Evidence
- Pen-test reports, scan results, remediation register.
Periodic penetration test performed
Operating- Procedure
- Inspect the pen-test report.
- Expected
- Performed in period.
- Sample
- 1
- Evidence
- Pen-test reports, scan results, remediation register.
Findings remediated/tracked by severity
Operating- Procedure
- Inspect the remediation tracker.
- Expected
- Closed per severity SLA.
- Sample
- 1
- Evidence
- Pen-test reports, scan results, remediation register.
Evidence Tess looks for
Pen-test reports, scan results, remediation register.
More in Change Management
Want Tess to test CM-19 against your evidence?
Book a demo