CIS Control 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

18.1: Establish Secure Coding Practices

• Establish secure coding practices appropriate to the programming language and development environment being used.

18.2: Ensure That Explicit Error Checking Is Performed for All In-House Developed Software

• For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.

18.3: Verify That Acquired Software Is Still Supported

• Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations.

18.4: Only Use Up-to-Date and Trusted Third-Party Components

• Only use up-to-date and trusted third-party components for the software developed by the organization.

18.5: Use only Standardized and Extensively Reviewed Encryption Algorithms

• Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

18.6: Ensure Software Development Personnel Are Trained in Secure Coding

• Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities.

18.7: Apply Static and Dynamic Code Analysis Tools

• Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.

18.8: Establish a Process to Accept and Address Reports of Software Vulnerabilities

• Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group.

18.9: Separate Production and Non-Production Systems

• Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments.

18.10: Deploy Web Application Firewalls

• Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed.

18.11: Use Standard Hardening Configuration Templates for Databases

• For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested.

Figure: System Entity Relationship Diagram