GRCWatch
Sign inStart free trial

CIS Control 16.12: Implement Code-Level Security Checks

Code vulnerabilities are among the fastest ways attackers infiltrate applications. CIS Control 16.12 requires organizations to use automated analysis tools that catch insecure coding patterns before they reach production. This control transforms development from a security afterthought into a secure-by-design process.

What this means

Control 16.12 mandates the deployment of static application security testing (SAST) and dynamic application security testing (DAST) tools across your software development lifecycle. Static analysis examines source code without execution to identify common vulnerabilities like SQL injection, buffer overflows, and hardcoded credentials. Dynamic analysis tests running applications to discover runtime vulnerabilities, authentication flaws, and configuration weaknesses. Together, these approaches ensure developers catch and remediate security issues during development rather than after deployment.

How to comply

  1. 1.Select and deploy static analysis tools (SAST) that scan your codebase for common weakness enumeration (CWE) violations and framework-specific vulnerabilities
  2. 2.Integrate SAST scanning into your CI/CD pipeline to automatically analyze code on every commit or pull request
  3. 3.Configure dynamic analysis tools (DAST) to test running instances of your applications in pre-production environments
  4. 4.Establish thresholds for critical and high-severity findings that block code promotion to production
  5. 5.Document all code-level security checks performed, tools used, findings identified, and remediation actions taken
  6. 6.Train development teams on interpreting scan results and remediating identified vulnerabilities
  7. 7.Schedule regular DAST assessments and penetration tests aligned with release cycles
  8. 8.Review and update SAST/DAST rules and signatures quarterly to address emerging threat classes

Evidence auditors look for

  • SAST tool configurations and integration documentation with CI/CD pipelines
  • Reports from automated code scans showing vulnerabilities detected and remediated
  • DAST assessment reports from pre-production testing environments
  • Change logs documenting when security findings were fixed and merged
  • Security policies defining code-level security check requirements and tool standards
  • Developer training records on secure coding practices and tool usage
  • Metrics dashboard showing trend of vulnerabilities discovered and resolution times
  • Tool licensing and version control documentation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates code-level security check integration with your CI/CD pipeline, logs all scan results and remediation actions in a compliance-ready audit trail, and tracks vulnerability metrics to demonstrate continuous CIS 16.12 compliance—eliminating manual security log consolidation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 16.1 — Establish a Secure Software Development ProcessCIS 16.2 — Establish a Process for Secure Software Development RequirementsCIS 16.11 — Conduct Code ReviewCIS 16.13 — Conduct a Secure Software Development Supply Chain Risk Review