NIST 800-53 r5 · Controls catalogue · Family SA
SA-11Developer Testing and Evaluation
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy control assessments; Perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }}; Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; Implement a verifiable flaw remediation process; and Correct flaws identified during testing and evaluation.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (34)
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1134.005 SID-History Injection Stealth, Privilege Escalation
- T1195.001 Compromise Software Dependencies and Development Tools Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1213.003 Code Repositories Collection
- T1495 Firmware Corruption Impact
- T1505 Server Software Component Persistence
- T1505.001 SQL Stored Procedures Persistence
- T1505.002 Transport Agent Persistence
- T1505.004 IIS Components Persistence
- T1528 Steal Application Access Token Credential Access
- T1542 Pre-OS Boot Stealth, Persistence
- T1542.001 System Firmware Stealth, Persistence
- T1542.003 Bootkit Stealth, Persistence
- T1542.004 ROMMONkit Stealth, Persistence
- T1542.005 TFTP Boot Stealth, Persistence
- T1552 Unsecured Credentials Credential Access
- T1552.001 Credentials In Files Credential Access
- T1552.002 Credentials in Registry Credential Access
- T1552.004 Private Keys Credential Access
- T1552.006 Group Policy Preferences Credential Access
- T1553 Subvert Trust Controls Defense Impairment
- T1553.006 Code Signing Policy Modification Defense Impairment
- T1558.004 AS-REP Roasting Credential Access
- T1559.003 XPC Services Execution
- T1574.001 DLL Stealth, Execution
- T1601 Modify System Image Defense Impairment
- T1601.001 Patch System Image Defense Impairment
- T1601.002 Downgrade System Image Defense Impairment
- T1612 Build Image on Host Stealth
- T1647 Plist File Modification Defense Impairment
Weaknesses this control addresses (10)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 14,126 | Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release. |
CWE-20 | Improper Input Validation | 13,143 | Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied. |
CWE-284 | Improper Access Control | 4,832 | Explicit security control assessments verify proper access control enforcement, detecting weaknesses that the flaw remediation process then eliminates. |
CWE-287 | Improper Authentication | 4,730 | Authentication mechanism testing and evaluation during development identifies bypass or weakness conditions, with mandatory correction prior to system delivery. |
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 4,689 | Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment. |
CWE-400 | Uncontrolled Resource Consumption | 3,324 | Resource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed. |
CWE-502 | Deserialization of Untrusted Data | 3,125 | Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses. |
CWE-754 | Improper Check for Unusual or Exceptional Conditions | 697 | Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves. |
CWE-693 | Protection Mechanism Failure | 476 | Assessments of security controls directly validate whether protection mechanisms function as intended, exposing failures for correction. |
CWE-703 | Improper Check or Handling of Exceptional Conditions | 146 | Testing and evaluation exercises error paths and exceptional conditions, surfacing improper handling that is then remediated through the defined process. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||