Modern IT environments typically include a wide range of applications: software developed in house, hosted software platforms, open-source tools and purchased solutions. Because these applications access sensitive systems, data and other IT assets, cybercriminals are eager to exploit them during attacks.
CIS Control 16 offers application software security controls for strengthening your organization’s security posture. This blog post explains how implementing these CIS controls can help you reduce the risk from coding mistakes, weak authentication, insecure design, insecure infrastructure and other vulnerabilities that attackers use to access sensitive data and systems.
Note that prior to CIS Critical Security Controls Version 8, the topic of how to secure applications was covered by CIS Control 18.
16.1. Establish and maintain a secure application development process
The first step is to establish a secure application development process that addresses secure coding practices, secure application design standards and procedures, and security of third-party code. Also be sure to provide training on this process to everyone involved in the application lifecycle, including development teams and implementation groups. The goal is to create a culture of cybersecurity awareness in which everyone understands your security practices and works actively to minimize your risk exposure.
This approach will also improve your organization’s compliance with industry regulations, legal mandates and internal governance requirements.
16.2. Establish and maintain a process to accept and address software vulnerabilities
You also need a robust vulnerability management process for accepting and addressing software vulnerabilities. Perform regular risk assessment to uncover gaps in your network security, and create processes that make it easy for team members submit security issues whenever they are discovered, including during incident response.
Be sure to assign a role responsible for handling vulnerability reports and monitoring the remediation process, and consider investing in a vulnerability tracking system.
16.3. Perform root cause analysis on security vulnerabilities
To mitigate a security vulnerability, it’s essential to understand the underlying issues through root cause analysis. In addition to helping you address specific vulnerabilities, root cause analysis also helps you define secure configuration baselines that strengthen your security and compliance posture.
16.4. Establish and manage an inventory of third-party software components
Create an inventory of third-party software components, including those your team uses during development and any slated for future use. Consider and document the risks that these software components pose to your apps, and keep your inventory properly managed by identifying and recording any changes or updates.
16.5. Use up-to-date and trusted third-party software components
Use established and proven software and libraries whenever possible. Find trusted sources for these components and evaluate the software for any vulnerabilities before use.
Ensure that all third-party software components have ongoing developer support; disable or remove any that do not. Using software assets that continue to receive security updates helps to minimize your risk exposure. Be sure to use only trusted and verified sources for these updates. Of course, you need to be sure to install updates in a timely manner to maintain the integrity of your systems and devices.
16.6. Establish and maintain a severity rating system and process for application vulnerabilities
Rating the severity of application vulnerabilities helps you prioritize risk remediation. Pro tip: When designing your rating system, make sure to include how critical the application and the vulnerability are for your business processes. Also consider establishing a minimum-security acceptability level for your applications.
16.7. Use standard hardening configuration templates for application infrastructure
Using industry-recommended templates to configure your servers, databases, and SaaS and PaaS components helps you ensure secure configurations that mitigate vulnerabilities and improve cyber hygiene.
16.8. Separate production and non-production systems
Create and maintain separate environments for your production systems and the non-production systems used for development and testing. Monitor all interaction with your production environments to prevent unauthorized personnel from accessing them.
In addition to activity monitoring, safeguard your IT environments with effective account management. Grant user accounts only the permissions they require, and minimize administrative privileges. Additional data protection measures can be implemented in Microsoft Active Directory environments using Group Policy.
16.9. Train developers in application security concepts and secure coding
Your developers need training on writing secure code. Training sessions are most effective when they are tailored to the group’s specific environments and responsibilities. The training should include application security standard practices and general security principles, and seek to raise security awareness. The SANS Institute is an excellent resource for learning about information security and cybersecurity.
Investing in writing secure code can save you money by reducing the effort needed for vulnerability detection and remediation.
16.10. Apply secure design principles in application architectures
Secure design principles include the guideline of “never trust user input,” which involves validating all user operations and explicit error checking.
Secure design also involves minimizing your application infrastructure’s attack surface. For instance, your teams can remove unnecessary programs, rename or remove default accounts, and turn off unprotected services and ports.
16.11. Leverage vetted modules or services for application security components
Vetted modules or services for application security components are available for identity management, encryption, auditing and logging. Using them can reduce implementation and design errors and minimize developer workload.
For example, using modern operating systems helps ensure effective identification, authentication and authorization of applications, as well as the creation of secure audit logs. Using only standard encryption algorithms that have been extensively reviewed reduces the risk of flaws that can compromise your systems.
16.12. Implement code-level security checks
Leverage static and dynamic analysis tools to help you ensure that your developers follow secure coding practices by testing for mistakes. Research the available tools to find those that will work effectively for your code.
16.13. Conduct application penetration testing
Penetration testing can help you uncover vulnerabilities in your applications that can be missed during code reviews and automated code scanning. The goal of the testing in this component in CIS CSC 16 is to identify weaknesses, including internet security gaps, and assess your application environment’s cyber security resilience and defense mechanisms.
Keep in mind that the effectiveness of penetration testing depends upon the tester’s skills.
16.14. Conduct threat modeling
In threat modeling, specially trained developers evaluate an application’s design with a focus on security risks across each access level or entry point, before coding starts. Mapping out your applications, architectures and infrastructures in a structured manner helps you further understand weaknesses so you can improve your cyber defenses and safeguard your data against unauthorized access, theft or destruction.