SV-SP-2 - Insufficient Testing

Testing only focuses on functional requirements and rarely considers end to end or abuse cases

ID: SV-SP-2

DiD Layer: Prevention

CAPEC #: 28 | 214 | 215 | 261

NIST Rev5 Control Tag Mapping: CA-2(2) | CA-8 | CP-4 | CP-4(5) | PM-32 | RA-5 | RA-5(2) | RA-9 | SA-3 | SA-4 | SA-4(3) | SA-11 | SA-11(1) | SA-11(2) | SA-11(5) | SA-11(7) | SA-11(8) | SA-11(9) | SA-15 | SA-15(7) | SR-11 | SR-11(3)

Lowest Threat Tier to
Create Threat Event: II

Notional Risk Rank Score: 19

Informational References

CCSDS Threat Green Book

Low-Level Requirements

SPARTA ID	Requirement	Rationale/Additional Guidance/Notes
SPR-237	The [organization] shall establish robust procedures and technical methods to perform testing to include adversarial testing (i.e.abuse cases) of the platform hardware and software.{SV-SP-2,SV-SP-1}{CA-8,CP-4(5),RA-5,RA-5(1),RA-5(2),SA-3,SA-4(3),SA-11,SA-11(1),SA-11(2),SA-11(5),SA-11(7),SA-11(8),SA-15(7)}	Abuse-case testing reveals design weaknesses before deployment. Red-teaming strengthens defensive posture. Proactive validation reduces operational risk. Testing must simulate realistic threat scenarios.
SPR-238	The [organization] shall require subcontractors developing information system components or providing information system services (as appropriate) to demonstrate the use of a system development life cycle that includes [state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-9}{SA-3,SA-4(3)}	Select the particular subcontractors, software vendors, and manufacturers based on the criticality analysis performed for the Program Protection Plan and the criticality of the components that they supply. Examples of good security practices would be using defense-in-depth tactics across the board, least-privilege being implemented, two factor authentication everywhere possible, using DevSecOps, implementing and validating adherence to secure coding standards, performing static code analysis, component/origin analysis for open source, fuzzing/dynamic analysis with abuse cases, etc.
SPR-250	The [organization] shall verify that the scope of security testing/evaluation provides complete coverage of required security controls (to include abuse cases and penetration testing) at the depth of testing defined in the test documents.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-8,RA-5(3),SA-11(5),SA-11(7)}	* The frequency of testing should be driven by Program completion events and updates. * Examples of approaches are static analyses, dynamic analyses, binary analysis, or a hybrid of the three approaches
SPR-252	The [organization] shall create and implement a security assessment plan that includes: (1) The types of analyses, testing, evaluation, and reviews of all software and firmware components; (2) The degree of rigor to be applied to include abuse cases and/or penetration testing; and (3) The types of artifacts produced during those processes.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-2,CA-8,SA-11,SA-11(5)}	The security assessment plan should include evaluation of mission objectives in relation to the security of the mission. Assessments should not only be control based but also functional based to ensure mission is resilient against failures of controls.
SPR-254	The [organization] shall employ dynamic analysis (e.g.using simulation, penetration testing, fuzzing, etc.) to identify software/firmware weaknesses and vulnerabilities in developed and incorporated code (open source, commercial, or third-party developed code).{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-8,CM-10(1),RA-3(1),SA-11(5),SA-11(8),SA-11(9),SI-3,SI-7(10)}	Dynamic testing uncovers runtime vulnerabilities not visible through static review. Techniques such as fuzzing and penetration testing simulate realistic adversarial behavior. Runtime validation improves detection of memory corruption, logic flaws, and unsafe state transitions. This reduces latent vulnerabilities prior to deployment.
SPR-266	The [organization] shall determine the vulnerabilities/weaknesses that require remediation, and coordinate the timeline for that remediation, in accordance with the analysis of the vulnerability scan report, the mission assessment of risk, and mission needs.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{CA-5,CM-3,RA-5,RA-7,SI-3,SI-3(10)}	Not all vulnerabilities carry equal mission impact. Risk-informed prioritization ensures critical flaws are addressed first. Coordinated timelines balance mission needs with security posture. Structured remediation strengthens governance.
SPR-269	The [organization] shall ensure that the vulnerability scanning tools (e.g., static analysis and/or component analysis tools) used include the capability to readily update the list of potential information system vulnerabilities to be scanned.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,RA-5(1),RA-5(3),SI-3}	Threat landscapes evolve rapidly. Regular tool updates ensure detection coverage remains current. Outdated signatures create blind spots. Continuous improvement sustains effectiveness.
SPR-271	The [organization] shall ensure that vulnerability scanning tools and techniques are employed that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (1) Enumerating platforms, custom software flaws, and improper configurations; (2) Formatting checklists and test procedures; and (3) Measuring vulnerability impact. Scanning shall cover flight software, firmware, and link‑segment interfaces in hardware‑in‑the‑loop environments.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,RA-5(3),SI-3}	Component/Origin scanning looks for open-source libraries/software that may be included into the baseline and looks for known vulnerabilities and open-source license violations.
SPR-273	The [organization] shall perform static source code analysis for all available source code looking for [[organization]-defined Top CWE List] weaknesses using complimentary set of static code analysis tools (i.e.more than one).{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,SA-11(1),SA-15(7)}	Static analysis detects coding weaknesses before execution. Using multiple tools increases detection coverage. Alignment with defined CWE priorities ensures focus on high-risk flaws. Early detection reduces downstream remediation cost.
SPR-274	The [organization] shall analyze vulnerability/weakness scan reports and results from security control assessments.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5,SI-3}	Scan results require expert interpretation to avoid false positives or overlooked risks. Structured analysis ensures meaningful remediation. Correlating findings with mission context refines prioritization. Review strengthens governance.
SPR-276	The [organization] shall perform component analysis (a.k.a.origin analysis) for developed or acquired software.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-15(7),RA-5}
SPR-279	The [organization] shall perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Program-defined depth and coverage].{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11}	The depth needs to include functional testing as well as negative/abuse testing.
SPR-291	The [organization] shall use the threat and vulnerability analyses of the as-built system, system components, or system services to inform and direct subsequent testing/evaluation of the as-built system, component, or service.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-3(3),SA-11(2),SA-15(8),SI-3}	Security analysis should guide test design. Threat-informed evaluation improves relevance. Feedback loops strengthen defensive posture. Analytical alignment enhances coverage.
SPR-337	The [organization] shall ensure that the list of potential system vulnerabilities scanned is updated [prior to a new scan] {SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{RA-5(2),SI-3}	Outdated vulnerability signatures reduce detection capability. Updating scan definitions ensures coverage against emerging threats. Proactive updates prevent blind spots. Continuous refresh strengthens scanning effectiveness.
SPR-397	The [organization] shall create prioritized list of software weakness classes (e.g., Common Weakness Enumerations) to be used during static code analysis for prioritization of static analysis results.{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-6,SV-SP-7,SV-SP-9,SV-SP-11}{SA-11(1),SA-15(7)}	The prioritized list of CWEs should be created considering operational environment, attack surface, etc. Results from the threat modeling and attack surface analysis should be used as inputs into the CWE prioritization process. There is also a CWSS (https://cwe.mitre.org/cwss/cwss_v1.0.1.html) process that can be used to prioritize CWEs. The prioritized list of CWEs can help with tools selection as well as you select tools based on their ability to detect certain high priority CWEs.
SPR-436	The [organization] shall require the developer of the system, system component, or system services to demonstrate the use of a system development life cycle that includes [state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].{SV-SP-1,SV-SP-2,SV-SP-3,SV-SP-9}{SA-3,SA-4(3)}	Examples of good security practices would be using defense-in-depth tactics across the board, least-privilege being implemented, two factor authentication everywhere possible, using DevSecOps, implementing and validating adherence to secure coding standards, performing static code analysis, component/origin analysis for open source, fuzzing/dynamic analysis with abuse cases, etc.

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
REC-0006		Gather FSW Development Information	Adversaries collect a cradle-to-operations view of how flight software is built, tested, signed, and released. Useful artifacts include architecture docs, source trees and SBOMs, compiler/linker toolchains and flags, RTOS and middleware versions, build scripts, CI/CD pipelines, code-signing workflows, defect trackers, and release notes that describe “as-built” vs. “as-flown” deltas. They also seek integration environments, emulators/SIL, flatsats/iron birds, hardware-in-the-loop rigs, and the autonomy/FDIR logic that governs mode transitions and patch acceptance. With this knowledge, a threat actor can identify weak crypto or provenance controls on update paths, predict error-handling behavior, and craft inputs that slip past unit/integration tests. Even small disclosures (e.g., a linker script, an assert string, or a sanitized crash dump) shrink the search space for exploitation.

ID	Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0008	Security Testing Results	As penetration testing and vulnerability scanning is a best practice, protecting the results from these tests and scans is equally important. These reports and results typically outline detailed vulnerabilities and how to exploit them. As with countermeasure CM0001, protecting sensitive information from disclosure to threat actors is imperative.	AC-3(11) \| CA-8 \| CA-8(1) \| CM-4 \| CP-4 \| IR-3 \| IR-3(1) \| IR-3(2) \| IR-6(2) \| RA-5 \| RA-5(11) \| SA-11 \| SA-11(3) \| SA-11(5) \| SA-4(5) \| SA-5	D3-AI \| D3-AVE \|	A.8.4 \| A.8.9 \| A.5.29 \| A.5.30 \| A.8.8 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.29 \| A.8.30
CM0020	Threat modeling	Use threat modeling, attack surface analysis, and vulnerability analysis to inform the current development process using analysis from similar systems, components, or services where applicable. Reduce attack surface where possible based on threats.	CA-3 \| CM-4 \| CP-2 \| PL-8 \| PL-8(1) \| RA-3 \| SA-11 \| SA-11(2) \| SA-11(3) \| SA-11(6) \| SA-15(6) \| SA-15(8) \| SA-2 \| SA-3 \| SA-4(9) \| SA-8 \| SA-8(25) \| SA-8(30)	D3-AI \| D3-AVE \| D3-SWI \| D3-HCI \| D3-NM \| D3-LLM \| D3-ALLM \| D3-PLLM \| D3-PLM \| D3-APLM \| D3-PPLM \| D3-SYSM \| D3-DEM \| D3-SVCDM \| D3-SYSDM \|	A.5.14 \| A.8.21 \| A.8.9 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.5.8 \| 6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30
CM0022	Criticality Analysis	Conduct a criticality analysis to identify mission critical functions, critical components, and data flows and reduce the vulnerability of such functions and components through secure system design. Focus supply chain protection on the most critical components/functions. Leverage other countermeasures like segmentation and least privilege to protect the critical components.	CM-4 \| CP-2 \| CP-2(8) \| PL-7 \| PL-8 \| PL-8(1) \| PM-11 \| PM-17 \| PM-30 \| PM-30(1) \| PM-32 \| RA-3 \| RA-3(1) \| RA-9 \| SA-11 \| SA-11(3) \| SA-15(3) \| SA-2 \| SA-3 \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(25) \| SA-8(3) \| SA-8(30) \| SC-32(1) \| SC-7(29) \| SR-1 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(2) \| SR-3(3) \| SR-5(1) \| SR-7	D3-AVE \| D3-OSM \| D3-IDA \| D3-SJA \| D3-AI \| D3-DI \| D3-SWI \| D3-NNI \| D3-HCI \| D3-NM \| D3-PLM \| D3-AM \| D3-SYSM \| D3-SVCDM \| D3-SYSDM \| D3-SYSVA \| D3-OAM \| D3-ORA \|	A.8.9 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.5.30 \| 8.1 \| A.5.8 \| A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| 6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| A.5.22 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.22
CM0011	Vulnerability Scanning	Vulnerability scanning is used to identify known software vulnerabilities (excluding custom-developed software - ex: COTS and Open-Source). Utilize scanning tools to identify vulnerabilities in dependencies and outdated software (i.e., software composition analysis). Ensure that vulnerability scanning tools and techniques are employed that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (1) Enumerating platforms, custom software flaws, and improper configurations; (2) Formatting checklists and test procedures; and (3) Measuring vulnerability impact.	CM-10(1) \| RA-3 \| RA-5 \| RA-5(11) \| RA-5(3) \| RA-7 \| SA-11 \| SA-11(3) \| SA-15(7) \| SA-3 \| SA-4(5) \| SA-8 \| SA-8(30) \| SI-3 \| SI-3(10) \| SI-7	D3-AI \| D3-NM \| D3-AVE \| D3-NVA \| D3-PM \| D3-FBA \| D3-OSM \| D3-SFA \| D3-PA \| D3-PSA \| D3-PLA \| D3-PCSV \| D3-FA \| D3-DA \| D3-ID \| D3-HD \| D3-UA \|	6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.8.7
CM0018	Dynamic Testing	Employ dynamic analysis (e.g., using simulation, penetration testing, fuzzing, etc.) to identify software/firmware weaknesses and vulnerabilities in developed and incorporated code (open source, commercial, or third-party developed code). Testing should occur (1) on potential system elements before acceptance; (2) as a realistic simulation of known adversary tactics, techniques, procedures (TTPs), and tools; and (3) throughout the lifecycle on physical and logical systems, elements, and processes. FLATSATs as well as digital twins can be used to perform the dynamic analysis depending on the TTPs being executed. Digital twins via instruction set simulation (i.e., emulation) can provide robust environment for dynamic analysis and TTP execution.	CA-8 \| CA-8(1) \| CM-4(2) \| CP-4(5) \| RA-3 \| RA-5(11) \| RA-7 \| SA-11 \| SA-11(3) \| SA-11(5) \| SA-11(8) \| SA-11(9) \| SA-3 \| SA-8 \| SA-8(30) \| SC-2(2) \| SC-7(29) \| SI-3 \| SI-3(10) \| SI-7 \| SR-6(1)	D3-DA \| D3-FBA \| D3-PSA \| D3-PLA \| D3-PA \| D3-SEA \| D3-MBT \|	6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.8.7
CM0019	Static Analysis	Perform static source code analysis for all available source code looking for system-relevant weaknesses (see CM0016) using no less than two static code analysis tools.	CM-4(2) \| RA-3 \| RA-5 \| RA-7 \| SA-11 \| SA-11(1) \| SA-11(3) \| SA-11(4) \| SA-15(7) \| SA-3 \| SA-8 \| SA-8(30) \| SI-7	D3-PM \| D3-FBA \| D3-FEMC \| D3-FV \| D3-PFV \| D3-SFV \| D3-OSM \|	6.1.2 \| 8.2 \| 9.3.2 \| A.8.8 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.8.29 \| A.8.30 \| A.8.28

SV-SP-2 - Insufficient Testing

Informational References

High-Level Requirements

Low-Level Requirements

Related SPARTA Techniques and Sub-Techniques

Related SPARTA Countermeasures