Code coverage statistics must be maintained for each release of the application.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70377	APSC-DV-003180	SV-84999r1_rule		Low

Description
This requirement is meant to apply to developers or organizations that are doing application development work. Code coverage statistics describes the overall functionality provided by the application and how much of the source code has been tested during the release cycle. To avoid the potential for testing the same pieces of code over and over again, code coverage statistics are used to track which aspects or modules of the application are tested. Some applications are so large that it is not feasible to test every last bit of the application code on one release cycle. In those instances, it is acceptable to prioritize and identify the modules that are critical to the applications security posture and test those first. Rolling over to test other modules later as resources permit. E.g., testing functionality that performs authentication and authorization before testing printing capabilities. Application developers should keep statistics that show all of the modules of the application and identify which modules were tested and when. This will help testers to keep track of what has been tested and help to verify all functionality is tested. The developer makes sure that flaws are documented in a defect tracking system. If the application is smaller in nature and all aspects of the application can be tested, the code coverage statistics would be 100%.

Description

This requirement is meant to apply to developers or organizations that are doing application development work. Code coverage statistics describes the overall functionality provided by the application and how much of the source code has been tested during the release cycle. To avoid the potential for testing the same pieces of code over and over again, code coverage statistics are used to track which aspects or modules of the application are tested. Some applications are so large that it is not feasible to test every last bit of the application code on one release cycle. In those instances, it is acceptable to prioritize and identify the modules that are critical to the applications security posture and test those first. Rolling over to test other modules later as resources permit. E.g., testing functionality that performs authentication and authorization before testing printing capabilities. Application developers should keep statistics that show all of the modules of the application and identify which modules were tested and when. This will help testers to keep track of what has been tested and help to verify all functionality is tested. The developer makes sure that flaws are documented in a defect tracking system. If the application is smaller in nature and all aspects of the application can be tested, the code coverage statistics would be 100%.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2018-04-03

Details

Check Text ( C-70831r1_chk )
If the organization does not do or manage the application development work for the application, this requirement is not applicable. Ask the application representative to provide code coverage statistics maintained for the application. If these code coverage statistics do not exist, this is a finding.

Fix Text (F-76613r1_fix)
Track application testing and maintain statistics that show how much of the application function was tested.