NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-11(8)Dynamic Code Analysis

Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Dynamic code analysis provides runtime verification of software programs using tools capable of monitoring programs for memory corruption, user privilege issues, and other potential security problems. Dynamic code analysis employs runtime tools to ensure that security functionality performs in the way it was designed. A type of dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing malformed or random data into software programs. Fuzz testing strategies are derived from the intended use of applications and the functional and design specifications for the applications. To understand the scope of dynamic code analysis and the assurance provided, organizations may also consider conducting code coverage analysis (i.e., checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and/or concordance analysis (i.e., checking for words that are out of place in software code, such as non-English language words or derogatory terms).

Practitioner Notes

Dynamic code analysis (DAST) tests the running application by sending requests and examining responses. Unlike static analysis, it tests the application's actual behavior, including runtime configuration and environment-specific issues.

Example 1: Deploy a DAST tool (OWASP ZAP, Burp Suite Enterprise, Qualys WAS) to scan your web applications in a staging environment. Run authenticated scans that test behind the login page — most vulnerabilities are in authenticated functionality that surface-level scans never reach.

Example 2: Integrate DAST into your CI/CD pipeline. After deploying to a staging environment, automatically trigger an OWASP ZAP scan. Parse the results and fail the pipeline if critical or high findings are detected. This catches vulnerabilities in the running application before they reach production.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment