STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.

DISA Rule

SV-222673r508029_rule

Vulnerability Number

V-222673

Group Title

SRG-APP-000516

Rule Version

APSC-DV-003400

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Provide application development/operational related security specific annual training for managers, designers, developers, and testers.

Check Contents

This requirement is meant to be applied to developers and development teams only, otherwise, this requirement is not applicable.

Interview the application representative.

Ask for evidence of annual security training for application managers, designers, developers, and testers.

Examples of evidence include course completion certificates and a class roster. At a minimum, security training should include security awareness training pertaining to overall principles of secure application development.

Training must be in addition to DoD 8570 training requirements as DoD 8570 annual security training does not presently cover application SDLC security concerns.

If there is no evidence of security training, this is a finding.

Vulnerability Number

V-222673

Documentable

False

Rule Version

APSC-DV-003400

Severity Override Guidance

This requirement is meant to be applied to developers and development teams only, otherwise, this requirement is not applicable.

Interview the application representative.

Ask for evidence of annual security training for application managers, designers, developers, and testers.

Examples of evidence include course completion certificates and a class roster. At a minimum, security training should include security awareness training pertaining to overall principles of secure application development.

Training must be in addition to DoD 8570 training requirements as DoD 8570 annual security training does not presently cover application SDLC security concerns.

If there is no evidence of security training, this is a finding.

Check Content Reference

M

Target Key

4093

Comments