CIS Control 18

CIS Control 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

18.1: Establish Secure Coding Practices

  • Establish secure coding practices appropriate to the programming language and development environment being used.

18.2: Ensure That Explicit Error Checking Is Performed for All In-House Developed Software

  • For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.

18.3: Verify That Acquired Software Is Still Supported

  • Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations.

18.4: Only Use Up-to-Date and Trusted Third-Party Components

  • Only use up-to-date and trusted third-party components for the software developed by the organization.

18.5: Use only Standardized and Extensively Reviewed Encryption Algorithms

  • Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

18.6: Ensure Software Development Personnel Are Trained in Secure Coding

  • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities.

18.7: Apply Static and Dynamic Code Analysis Tools

  • Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.

18.8: Establish a Process to Accept and Address Reports of Software Vulnerabilities

  • Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group.

18.9: Separate Production and Non-Production Systems

  • Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments.

18.10: Deploy Web Application Firewalls

  • Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed.

18.11: Use Standard Hardening Configuration Templates for Databases

  • For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested.

Figure: System Entity Relationship Diagram

CIS Control 18
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.