CSA CCM TVM-07

This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact.

This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact.

This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact.

This control requires both CSP and CSC to conduct regular penetration testing using reputable third parties for overall testing processes and communication of results within agreed boundaries. The control guidance states that the penetration testing should be used to identify critical vulnerabilities, assess the effectiveness of security controls, validate compliance with industry standards, in order to provide recommendations for remediation and security improvements in cloud environments. The mapping for TVM-07 Penetration Testing will be aligned with the M1016 Vulnerability Scanning mitigation definition of using "automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses." Penetration testing in this context can take the form of Cloud Environment Scanning, use application security testing (SAST/DAST) tools, and the use of any red team cloud tools (Pacu, StormSpotter) to detect vulnerabilities and weaknesses for exploitation and impact.