Any newly acquired information system should undergo security testing during development. Testing should cover security functions, secure coding, and secure configurations. Test plans should be proportionate and include criteria for evaluation. Automated tools can be used for testing, and outsourced development should follow a process for acquiring contracts addressing security requirements. Organizations should test in areas matching the production environment.