CIS Control 18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
18.1: Establish Secure Coding Practices
- Establish secure coding practices appropriate to the programming language and development environment being used.
18.2: Ensure That Explicit Error Checking Is Performed for All In-House Developed Software
- For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.
18.3: Verify That Acquired Software Is Still Supported
- Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations.
18.4: Only Use Up-to-Date and Trusted Third-Party Components
- Only use up-to-date and trusted third-party components for the software developed by the organization.
18.5: Use only Standardized and Extensively Reviewed Encryption Algorithms
- Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
18.6: Ensure Software Development Personnel Are Trained in Secure Coding
- Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities.
18.7: Apply Static and Dynamic Code Analysis Tools
- Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.
18.8: Establish a Process to Accept and Address Reports of Software Vulnerabilities
- Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group.
18.9: Separate Production and Non-Production Systems
- Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments.
18.10: Deploy Web Application Firewalls
- Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed.
18.11: Use Standard Hardening Configuration Templates for Databases
- For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested.
Figure: System Entity Relationship Diagram
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises