How do I know if my application should be subject to code review

Question

How do I know if my application should be subject to code review, other authorization requirements?

Answer

Our office (VA OIS Software Assurance) does not determine authorization requirements; an IA analyst or ISO should be contacted for timing and applicability of authorization requirements. Activities our office supports are limited to performing upon request: secure code review (including Fortify SCA distribution & support), secure design review, and application inventory.

With the above in mind the goal of these notes is limited to providing some assistance to VA developers and security practitioners to understand the extent to which the VA organization can likely in practice assess or secure common types of applications. The table below organizes these applications into a simple taxonomy to assist in determining potential limitations.

Note that an “Application” is the entity around which you perform application-level security analysis. This can be represented by an entire application, a library, a micro-service, COTS application, Software as a service (SaaS), or any scannable block of code that you wish to independently analyze and manage the vulnerability data for.

Notional Application / Application Component Type Potentially-Applicable A&A Requirements
Securable Application - Code can be scanned using VA-licensed tools; COTS or SaaS made subject to code review authorization requirements (vendor is compelled to provide code)
  • Application Registration
  • Secure Design Review
  • Secure Code Review
  • Composition Analysis Review
  • Penetration Test / Application Assessment
Not Securable Application (Technical Reasons) - Custom-developed code that cannot be scanned using VA-licensed tools; COTS or SaaS where attempts are made to subject to code review authorization requirements (vendor is compelled to provide code) but code cannot be scanned using VA-licensed tools
  • Application Registration
  • Penetration Test / Application Assessment
Not Securable Application (Non-Technical Reasons) - Custom-developed code, COTS, or SaaS may be able to be scanned using VA-license tools but vendor is not able to comply due to for example contractual restrictions
  • Application Registration
  • Penetration Test / Application Assessment
Application Dependency (Internal) - Dependencies of the application in question that are deployed on the VA network
  • Nessus Scan
  • Database Scan
  • Security Configuration Compliance Data
Application Dependency (External) - Dependencies of the application in question that are not deployed on the VA network; SaaS
  • Penetration Test / Application Assessment
  • Interconnection Security Agreement (ISA)/Memorandum of Understanding (MOU)
  • Cloud/FedRAMP Reciprocity ATO process
Other - Other that do not fit into the above categories
  • TRM Requirements
  • Other requirements

References