Episode 110 — Spotlight: Developer Testing and Evaluation (SA-11)
Developer Testing and Evaluation (SA-11) requires that software be verified through systematic testing to uncover defects and security weaknesses before release. For the exam, distinguish breadth of techniques—unit tests, integration tests, static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), interactive testing, fuzzing, and manual code review. SA-11 emphasizes shift-left practices that place security checks alongside functional tests in CI/CD pipelines, ensuring findings block builds or create work items with severity-based SLAs. The aim is to make security quality an objective gate, not a post hoc negotiation, and to ensure test coverage reflects risk, complexity, and data sensitivity.
Operationally, organizations implement test strategies as code: pipelines invoke SAST and SCA on commit, run unit and integration suites on merge, and execute DAST or fuzzing in staging with seed corpora designed from threat models. Evidence includes test plans, coverage reports, vulnerability findings with remediation commits, and signed release artifacts tied to build numbers and commit hashes. Metrics track defect discovery and closure rates, mean time to remediate critical vulnerabilities, code coverage for security-relevant paths, and recurrence of previously fixed weaknesses. Pitfalls include treating tools as checkboxes without triage discipline, waiving findings without compensations, and ignoring supply chain risks introduced by third-party libraries. When SA-11 is embedded in development culture, releases arrive with predictable security quality, auditors can trace tests to requirements, and engineering teams gain fast feedback that improves code health over time.
Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
