The way in which we interact with applications has changed dramatically over years. Enterprises use applications in day-to-day operations to manage their most sensitive data and control access to system resources. Instead of traversing a labyrinth of networks and systems, attackers today see an opening to turn an organizations applications against it to bypass network security controls and compromise sensitive data.

Key Take Ways for Control 16

Implementation of Secure Software Development Framework (SSDF)

Using additional frameworks to harden security within software development lifecycles (SDLC) will increase the overall security for all development lifecycle phases. NIST SP 800-218 is a comprehensive framework that outlines recommended secure practices to establish during development lifecycles.

Safe Guards for Control 16

  1. Establish and Maintain a Secure Application Development Process

Description: Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. We now have frameworks specifically tailored for securing software that can be used jointly with a company’s SDLC. NIST SP 800-218 is a Secure Software Development Framework (SSDF) that uses, “a core set of high-level secure software development practices that be integrated into each SDLC implementation.”

  1. Establish and Maintain a Process to Accept and Address Software Vulnerabilities

 Description: Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation (Read more...)