A new standard covering the secure product development lifecycle has been ratified, officially making static code analysis, software composition analysis, and malformed input testing part of the requirements.
Known officially as ISA-62443-4-1 Security for industrial automation and control systems Part 4-1: Secure product development life-cycle requirement, it is part of a larger certification program designed to assess a supplier's product development lifecycle processes for industrial automation control systems. ISA and IEC standards are used by various industries and are often mandated by law in Europe.
Of interest for software testers is section 8.2.1 (c) Static Code Analysis (SCA), which states that this testing shall be done if testing exists for that language and/or if the software has changed. A separate section addresses testing for third-party software.
Section 9.4 SV-3 covers vulnerability testing covers fuzz testing and network traffic load testing and capacity testing, attack surface analysis, and black box known vulnerability scanning. For software composition analysis on all binary executable, the following types of problems at a minimum:
(1) known vulnerabilities in the product software components,
(2) linking to vulnerable libraries,
(3) security rule violations, and
(4) compiler settings that may lead to vulnerabilities.