...
DoD acquisition programs are specifying the Application Security and Development Security Technical Implementation Guide (STIG) in requests for proposal (RFPs). Below is information for the last two versions of the Application Security and Development Security STIG, Version 4, Release 1 and Version 3, Release 10.
Application Security and Development
...
STIG, Version 4, Release 1 [DISA 2016]
Section 2.1 of the Application Security and Development STIG Overview, "Security Assessment Information", requires that "...coding standards, application vulnerability scan reports, and automated code review results are all part of the suite of system documentation that is expected to be available for review when conducting a security assessment of an application."
...
- (APSC-DV-003150: CAT II) At least one tester must be designated to test for security flaws in addition to functional testing.
- (APSC-DV-003170: CAT II) An application code review must be performed on the application.
- (APSC-DV-003210: CAT II) Security flaws must be fixed or addressed in the project plan.
- (APSC-DV-003400: CAT II) The Program Manager must verify all levels of program management, designers, developers, and testers receive annual security training pertaining to their job function.
Application Security and Development
...
STIG, Version 3, Release 10 [DISA 2015]
Section 2.1.5, "Coding Standards," requires that "the Program Manager will ensure the development team follows a set of coding standards."
...