CM-18 Change Management

Secure Development Standards

Security is built in, not bolted on.

Domain: Change Management
Control type: Preventive
Automated / manual: Hybrid
Frequency: Continuous
Framework reference: MAS TRM – SDLC; OWASP

What good looks like

Secure-coding standards (OWASP) followed; security addressed by design.

Risk if it fails

Exploitable application vulnerabilities.

How Tess tests it

3 tests — each concludes only on cited evidence.

Secure-coding standards adopted (OWASP)

Design

Procedure: Inspect the standards.
Expected: Defined and adopted.
Sample: 1 (design inspection)
Evidence: Coding standards, SAST/DAST integration evidence.

SAST/DAST integrated in pipeline

Operating

Procedure: Inspect integration.
Expected: Runs on changes.
Sample: 25 (or full config inspection)
Evidence: Coding standards, SAST/DAST integration evidence.

Security requirements addressed by design

Operating

Procedure: Inspect design artefacts.
Expected: Security built in.
Sample: 25 (or full config inspection)
Evidence: Coding standards, SAST/DAST integration evidence.

Evidence Tess looks for

Coding standards, SAST/DAST integration evidence.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-18 against your evidence?