Any applications developed internally or outsourced should follow secure coding practices to prevent common vulnerabilities and potential data breaches. The application’s design and implementation should ensure that the risks of processing failures leading to a loss of integrity are minimized. Secure application development is a critical component of the information security program.
Application Security Best Practices
As a best practice, application security controls should address (i) the use of add, modify, and delete functions to implement changes to data; (ii) the procedures to prevent programs running in the wrong order or running after failure of prior processing; (iii) the use of appropriate programs to recover from failures to ensure the correct processing of data; and (iv) protection against attacks using buffer overruns/overflows.
A checklist for validation checking should be prepared, activities are documented, and the results are kept secure. Integrity verification tools will be employed to detect unauthorized, security-relevant configuration changes to software and information. Information system flaws should be identified, documented, reported, and corrected. The information system should provide notification of failed security verification tests.
The detection of unauthorized security-relevant changes to the information system will be incorporated into the organization incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.
Development artifacts (sample data and scripts; unused libraries, components, debug code; or tools) should not be included in the deployed software, or accessible in the production environment.
Applications should undergo application vulnerability testing annually by a qualified party; automated validation checks are conducted at an organization-defined frequency, but no less than monthly and/or after organization-defined security-relevant events; and integrity checks of software and information are performed daily.
Software development that is outsourced should be monitored to include independent security and code reviews. Formal contracts should be established with third-party software developers that address the following:
- Security of the code/application
- Licensing agreements
- Code ownership
- Intellectual property rights
- Certification of the quality and accuracy of the work completed
- Escrow arrangements in the event of failure of the third-party
- Rights of access for audit of the quality and accuracy of word performed
- Testing before installation to detect malicious code
Development, test, and production functions should be separated across multiple individuals or groups.
Application Security and Coding Guidelines
Application development should be based on secure coding guidelines to prevent common vulnerabilities and/or undergo appropriate testing to prevent potential data breaches. Applications that store, process or transmit sensitive information should undergo application penetration testing by a qualified third-party on an annual basis.
System and information integrity requirements should be developed, documented, disseminated, reviewed and updated annually. The information system should check the validity of organization-defined information inputs for accuracy, completeness, validity, and authenticity as close to the point of origin as possible.
Application firewalls should be placed in front of the critical servers to verify and validate the traffic going to the server. Alerts should be generated and any unauthorized traffic or services should be blocked.
For any public-facing web applications, new threats and vulnerabilities should be addressed on an ongoing basis and ensures these applications are protected against known attacks.
To gain access to an application that uses or displays highly confidential or sensitive data, an application level of user authentication must be used. When a confidential application is launched it must authenticate the user via a password or device such as a smart card. Data stored by this application must be encrypted. If an unauthorized person or hacker breaks into the system, you will have an additional layer of protection for your sensitive data.
All systems that are part of critical business processes should be tested for proper configuration and application-level vulnerabilities prior to deployment.
Data Input/Output Validation
For organizations doing system development (e.g. applications, databases), specific data input/output validation checks should be manually or automatically performed. Applications should be protected, at a minimum, against the latest OWASP Top 10 (currently 2013)
Outsourced Software Development
As discussed earlier, where software development is outsourced, formal contracts should be in place to address the ownership and security of the code and application. And where software development is outsourced, the development process should be monitored by the organization and includes independent security and code reviews.
When you receive custom software developed for your organization by a consulting firm, evaluate the software before deploying it on your mission-critical systems. Hackers working for software companies may build in a backdoor to the system during development. Even though this is rare, check out your custom, mission-critical software before deployment.
Evidence of a Secure Application
- Secure coding guidelines and common vulnerabilities are identified and defined.
- Most recent application vulnerability test was performed within the past 12 months by a qualified party.
- Maintain current system and information integrity requirements and ensure they are reviewed/updated within the past 12 months.
- Evidence that web applications have implemented application-level firewalls with rule sets defined to effectively control traffic (e.g., denying unnecessary or risky ports and services).
- Evidence that functions available within the application are appropriately restricted for user/roles based on the user’s/role’s privileges for users/roles with varying privileges.
- Evidence applications allowing access to other applications ensure access is controlled and approved.
- Evidence applications with remote access have configuration settings on the application (or via remote access client) to restrict the ability to copy, move, print, and store information locally.
- Versioning Tracking Reports/Audits
- Validation Testing and/or Audit Reviews
For more information and details on how we can help, contact us today!