16

Application Software Security

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Why Is This Control Critical?

Attacks often take advantage of vulnerabilities found in web-based and other application software. Vulnerabilities can be caused by coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions. Sophisticated attackers can find and exploit such vulnerabilities. Application security includes techniques such as security requirements, secure design, secure coding, secure deployment, vulnerability scanning, and web application firewalls.

Related Policy Templates

Secure Software Development Lifecycle Policy Application Security Policy

Safeguards (14)

ID Title Asset Type Function Implementation Groups
16.1 Establish and Maintain a Secure Application DevelopmentĀ Process Applications Protect
IG2 IG3
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities Applications Protect
IG2 IG3
16.3 Perform Root Cause Analysis on Security Vulnerabilities Applications Protect
IG2 IG3
16.4 Establish and Manage an Inventory of Third>Party Software Components Applications Protect
IG2 IG3
16.5 Use Up>to>Date and Trusted Third>Party Software Components Applications Protect
IG2 IG3
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities Applications Protect
IG2 IG3
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure Applications Protect
IG2 IG3
16.8 Separate Production and Non>Production Systems Applications Protect
IG2 IG3
16.9 Train Developers in Application Security Concepts and Secure Coding Applications Protect
IG2 IG3
16.10 Apply Secure Design Principles in Application Architectures Applications Protect
IG2 IG3
16.11 Leverage Vetted Modules or Services for Application Security Components Applications Protect
IG2 IG3
16.12 Implement Code>Level Security Checks Applications Protect
IG3
16.13 Conduct Application Penetration Testing Applications Protect
IG3
16.14 Conduct Threat Modeling Applications Protect
IG3
Control 15 Control 17