Security Control 6:
Application Software Security

Neutralize vulnerabilities in web-based and other application software: Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic for high risk applications, and explicitly check for errors in all user input (including by size and data type).

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

6.1

Ensure your application is protected against OWASP Top 10 and CWE/SANS Top 25 software vulnerabilities (see UCI Application Security Checklist).

REQ REQ REQ

6.2

Test in-house-developed and third-party-procured web and other application software for coding errors and malware insertion, including backdoors, prior to deployment using automated static code analysis software.

[additional details]

If source code is not available, test compiled code using static binary analysis tools. In particular, input validation and output encoding routines of application software should be carefully reviewed and tested.

REQ REQ REQ

6.3

Test in-house-developed and third-party-procured web applications for common security weaknesses using automated remote web application scanners prior to deployment, whenever updates are made to the application, and on at least an annual basis.

REQ REQ REQ

6.4

For applications that rely on a database, conduct a configuration review of both the operating system housing the database and the database software itself, checking settings to ensure that the database system has been hardened.

REQ REQ REQ

6.5

Verify that security considerations are taken into account throughout the requirement, design, implementation, testing, and other phases of the software development life cycle of all applications.

REQ REQ REQ

6.6

Ensure that all software development personnel receive training in writing secure code for their specific development environment.

REQ REQ REQ

6.7

Get written authorization from the data proprietor to store or access data in the application.

REQ REQ REQ

6.8

De-identify data in non-production environments.

REQ REQ REQ

6.9

Ensure application runs as and uses the least-privileged user possible when connecting to other services.

REQ REQ REQ

6.10

Use centrally managed authentication and authorization services.

REQ REQ REC

Additional Reading