Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Application Security and Development Security Technical Implementation Guide
SRG-APP-000516
Code coverage statistics must be maintained for each release of the application.
Code coverage statistics must be maintained for each release of the application.
An XCCDF Rule
Details
Profiles
Prose
Code coverage statistics must be maintained for each release of the application.
Low Severity
<VulnDiscussion>This requirement is meant to apply to developers or organizations that are doing application development work. Code coverage statistics describes the overall functionality provided by the application and how much of the source code has been tested during the release cycle. To avoid the potential for testing the same pieces of code over and over again, code coverage statistics are used to track which aspects or modules of the application are tested. Some applications are so large that it is not feasible to test every last bit of the application code on one release cycle. In those instances, it is acceptable to prioritize and identify the modules that are critical to the applications security posture and test those first. Rolling over to test other modules later as resources permit. E.g., testing functionality that performs authentication and authorization before testing printing capabilities. Application developers should keep statistics that show all of the modules of the application and identify which modules were tested and when. This will help testers to keep track of what has been tested and help to verify all functionality is tested. The developer makes sure that flaws are documented in a defect tracking system. If the application is smaller in nature and all aspects of the application can be tested, the code coverage statistics would be 100%.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>