16.11
IG2 IG3

Leverage Vetted Modules or Services for Application Security Components

Control Group: 16. Application Software Security
Asset Type: Applications
Security Function: Protect

Description

Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developersā€™ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Identify all data requiring encryption
7
Select approved encryption algorithms and key lengths (AES-256)
8
Deploy encryption solution and verify data protection
9
Establish key management procedures
10
Enable logging on all in-scope systems
11
Configure log forwarding to centralized SIEM
12
Define log retention periods per policy
13
Establish log review schedule and procedures
14
Identify systems requiring multi-factor authentication
15
Select and deploy MFA solution
16
Enroll users and distribute authentication factors
17
Test MFA across all identified systems

Tool Recommendations

Snyk Gartner MQ Visionary, Application Security Testing 2024; Forrester Wave Leader, SCA 2023

Developer-first application security with SCA, container scanning, IaC security, and SAST integrated into CI/CD

Snyk · Per-developer subscription
Synopsys Software Integrity Gartner MQ Leader, Application Security Testing 2024

Application security testing suite with SAST (Coverity), SCA (Black Duck), and DAST for comprehensive AppSec

Synopsys · Per-developer subscription
Checkmarx One Gartner MQ Leader, Application Security Testing 2024

Cloud-native application security platform with SAST, SCA, DAST, API security, and supply chain security testing

Checkmarx · Per-developer subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Broken Custom Cryptography Implementation

Confidentiality

A developer implements a custom encryption algorithm instead of using a vetted cryptographic library, and the implementation contains fundamental flaws that allow attackers to decrypt sensitive data.

Authentication Bypass in Custom Identity Management Module

Confidentiality

A home-built authentication system contains logic flaws that allow attackers to bypass login because the developers built it from scratch instead of leveraging a vetted identity management framework.

Audit Log Tampering Due to Custom Logging Implementation

Integrity

An attacker modifies custom-built audit logs to cover their tracks because the application uses a bespoke logging system with no integrity protections instead of a vetted, tamper-evident logging framework.

Vulnerabilities (When Safeguard Absent)

Custom-Built Security Components Instead of Vetted Modules

Developers building custom implementations of security-critical functions such as encryption, authentication, and logging instead of using proven libraries are far more likely to introduce exploitable implementation flaws.

Inconsistent Security Component Quality Across Applications

Without standardizing on vetted modules for security functions, each application implements these capabilities differently, creating inconsistent quality and unpredictable security properties.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Encryption configuration evidence (disk encryption status, TLS settings) Scanned monthly
Document Key management procedures and key rotation records Reviewed annually
Technical SIEM dashboard showing log sources and collection status Captured monthly
Record Log review records and findings Per review cycle
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Secure Software Development Lifecycle Policy
Control 16
Application Security Policy
Control 16

Related Safeguards in Control 16

16.1 Establish and Maintain a Secure Application DevelopmentĀ Process
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
16.3 Perform Root Cause Analysis on Security Vulnerabilities
16.4 Establish and Manage an Inventory of Third>Party Software Components
16.5 Use Up>to>Date and Trusted Third>Party Software Components
16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
16.7 Use Standard Hardening Configuration Templates for Application Infrastructure
16.8 Separate Production and Non>Production Systems
16.9 Train Developers in Application Security Concepts and Secure Coding
16.10 Apply Secure Design Principles in Application Architectures
16.12 Implement Code>Level Security Checks
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
16.10 16.12