16 ◾ Information Security Management Handbook
8. Penetration testing—is is used to validate the risks associated with the identified vulner-
abilities and should be reviewed quarterly.
9. Source code review—is is the review of the software source code for vulnerabilities before
the software is released. is is to be done on all software developed internally or by vendors.
is is used during the software development phase (using the SDLC) to fix the vulnerable
code before the software goes into production.
10. Configuration hardening—is is the hardening of the system before it goes into production.
A hardened system image should be used to build the system as opposed to trying to harden
an image supplied by a vendor. Penetration testing a ...