18: Application Software Security

Establish secure coding practices appropriate to the programming language and development environment being used.

For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.

Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations.

Only use up-to-date and trusted third-party components for the software developed by the organization.

Use only standardized, currently accepted, and extensively reviewed encryption algorithms.

Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities.

Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.

Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group.

Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments.

Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed.

For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested.