Today, I will be going over Control 18 from version 7 of the CIS top 20 Critical Security Controls – Application Software Security. I will go through the eleven requirements and offer my thoughts on what I’ve found.


Key Take Aways for Control 18

  • Understand your risk. The first great addition to control 18 is the requirement to run both static and dynamic code analysis utilities on in-house developed code. The second is creating the ability for vulnerabilities to be reported to the company, especially from outside parties. Both of these are going to uncover vulnerabilities to the business which previously may have remained hidden for long periods of time.
  • Layered security is important. This is iterated over and over again in control 18. Starting with training developers on how to write secure code, testing the code they write, harden the environment around the code, then install security tools in front of the code. The goal is to have multiple security layers to stop an attack before it can start.

Requirement Listing for Control 18

1. Establish Secure Coding Practices

Description: Establish secure coding practices appropriate to the programming language and development environment being used.

Notes: The first step in writing secure code is following best practices. OWASP has a great cheat sheet for the secure software development life cycle. Additionally, developers can study for the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) certification.

2. Ensure Explicit Error Checking is Performed for All In-house Developed Software

Description: For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.

Notes: Many common attacks against software come in the form of no sanitizing user input or not handling errors correctly. Both of these (Read more...)