Control Summary
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Why is it needed?
Applications serve as user-friendly interfaces that enable users to access and manage data in a manner aligned with business operations. They also serve to simplify user interactions by abstracting away the complexities of directly interfacing with intricate system functions, such as logging into a database to insert or modify files. Enterprises rely on applications to oversee their most sensitive data and regulate access to system resources. Consequently, an attacker can exploit vulnerabilities within the application itself to compromise data, bypassing the need for an elaborate sequence of network and system hacking maneuvers aimed at circumventing network security controls and sensors. This underscores the critical importance of safeguarding user credentials as outlined in CIS Control 6.
In the absence of valid credentials, application vulnerabilities become the preferred avenue of attack. However, contemporary applications operate within an intricately intricate, diverse, and constantly evolving landscape. These applications are deployed across various platforms, including web, mobile, and the cloud, featuring architectural complexities that surpass traditional client-server or database-web server structures.
Implementing Control
To start implementing this control, a secure application development process must be established. Ideally this will introduce security needs early in any software development lifecycle and include addressing secure design and coding standards, developer training, vulnerability management, secure testing processes and third-party code security.
Safeguards at level 2 or 3:
16.1 Establish and Maintain a Secure Application Development Process
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities
16.4 Establish and Manage an Inventory of Third-Party Software Components
16.5 Use Up-to-Date and Trusted Third-Party Software Components
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
16.8 Separate Production and Non-Production Systems
16.9 Train Developers in Application Security Concepts and Secure Coding
16.10 Apply Secure Design Principles in Application Architectures
16.11 Leverage Vetted Modules or Services for Application Security Components
16.12 Implement Code-Level Security Checks
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
Incident Response Solutions 