SA-11.1: Static Code Analysis

the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;

the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.

System and services acquisition policy

system and services acquisition procedures

procedures addressing system developer security testing

procedures addressing flaw remediation

solicitation documentation

acquisition documentation

service level agreements

acquisition contracts for the system, system component, or system service

security and privacy architecture

system design documentation

system developer security and privacy assessment plans

results of system developer security and privacy assessments

security flaw and remediation tracking records

system security plan

privacy plan

privacy impact assessment

privacy risk assessment documentation

other relevant documents or records

Organizational personnel with system and service acquisition responsibilities

organizational personnel with information security responsibilities

organizational personnel with developer security and privacy testing responsibilities

organizational personnel with configuration management responsibilities

system developers

Organizational processes for monitoring developer security testing and evaluation

mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation

static code analysis tools