CMMC Practice CA.3.162
Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
Bold Coast Security Guidance
This practice relates to organizations that develop software in-house. For Level 3 compliance, an organization must have a comprehensive Software Development Lifecycle formally documented to include security testing of the code at each development stage.
Creating secure software implementations is difficult and requires extra steps to assess the code for security related vulnerabilities. Security assessment is a process of reviewing software source code in order to identify defects or vulnerabilities with in an application. Security assessment may be done using manual or automated techniques.