16.1
IG2 IG3

Establish and Maintain a Secure Application DevelopmentĀ Process

Control Group: 16. Application Software Security
Asset Type: Applications
Security Function: Protect

Description

Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Select and configure vulnerability scanning tool
7
Define scan scope, frequency, and credentials
8
Establish vulnerability remediation SLAs by severity
9
Create exception/waiver process for unremediated findings
10
Develop or procure training content
11
Define training audience and completion requirements
12
Deploy training and track completion rates
13
Measure training effectiveness through testing/simulation
14
Draft policy/procedure document
15
Obtain stakeholder review and approval
16
Communicate to affected personnel
17
Schedule periodic review and updates
18
Inventory all third-party service providers
19
Classify third parties by risk level
20
Conduct security assessments of critical vendors
21
Include security requirements in contracts

Tool Recommendations

Veracode Gartner MQ Leader, Application Security Testing 2024

Application security platform with SAST, DAST, SCA, and developer training for secure software development

Veracode · Per-application subscription
Checkmarx One Gartner MQ Leader, Application Security Testing 2024

Cloud-native application security platform with SAST, SCA, DAST, API security, and supply chain security testing

Checkmarx · Per-developer subscription
Synopsys Software Integrity Gartner MQ Leader, Application Security Testing 2024

Application security testing suite with SAST (Coverity), SCA (Black Duck), and DAST for comprehensive AppSec

Synopsys · Per-developer subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Systemic Security Flaws in Internally Developed Applications

Integrity

Multiple applications developed in-house contain the same categories of vulnerabilities such as injection flaws and broken authentication because no secure development process defines coding standards or security requirements.

Vulnerable Third-Party Code Integrated Without Review

Integrity

Developers incorporate open-source libraries with known critical vulnerabilities into production applications because the development process has no requirements for vetting third-party code security.

Security Bypassed to Meet Release Deadlines

Confidentiality

Applications are rushed to production without any security testing because no formal secure development process mandates security gates in the release pipeline.

Vulnerabilities (When Safeguard Absent)

No Secure Software Development Lifecycle (SSDLC)

Without a secure development process, there are no defined standards for secure design, coding practices, vulnerability management, or security testing, resulting in applications with systemic security weaknesses.

No Security Requirements in Development Pipeline

Absence of a formalized process means security testing, code review, and vulnerability assessment are not required stages in the software release lifecycle.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Vulnerability scan reports showing scope and findings Per scan cycle
Record Vulnerability remediation tracking with SLA compliance metrics Monthly
Record Training completion records and compliance rates Tracked continuously, reported quarterly
Document Training content and curriculum documentation Reviewed annually
Record Third-party risk assessment reports and scorecards Annually per vendor
Document Vendor contracts with security requirements Per contract cycle
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Secure Software Development Lifecycle Policy
Control 16
Application Security Policy
Control 16

Related Safeguards in Control 16

16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities
16.4 Establish and Manage an Inventory of Third>Party Software Components
16.5 Use Up>to>Date and Trusted Third>Party Software Components
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
16.8 Separate Production and Non>Production Systems
16.9 Train Developers in Application Security Concepts and Secure Coding
16.10 Apply Secure Design Principles in Application Architectures
16.11 Leverage Vetted Modules or Services for Application Security Components
16.12 Implement Code>Level Security Checks
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
16.2