Profile Applicability:
Level 1
Description:
Implement monitoring and tracking mechanisms to detect and log anomalous or unexpected behaviors within code during development, testing, and production phases. This includes unusual execution patterns, unauthorized changes, suspicious activity, or deviations from expected logic to quickly identify potential security issues or bugs.
Rationale:
Tracking anomalous code behavior helps in early detection of security vulnerabilities, malicious code injections, or functional defects. It supports incident response, forensic investigations, and continuous improvement of code quality and security posture.
Impact:
Pros:
Enables early identification of security and functional issues.
Supports effective incident response and mitigation.
Improves overall software reliability and security.
Cons:
May require additional resources for monitoring and analysis.
Potential for false positives that need tuning.
Default value:
Many development environments lack integrated anomaly detection by default.
Audit:
Review monitoring logs, alerts, and incident reports for documented anomalous code behaviors. Verify coverage of monitoring tools and processes.
Remediation:
Integrate static and dynamic analysis tools, behavioral monitoring, and logging into development and production environments. Establish procedures for alerting and investigating anomalies.
References:
https://owasp.org/www-project-application-security-monitoring/
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final