Application Security Standard
This IT Risk Standard specifies the requirements for securing applications.
The objective of this Standard is to identify the minimum security requirements for applications implemented by the Company, to reduce the risk of security incidents caused by security weaknesses of applications that adversely affect the confidentiality, integrity, and/or availability of Company applications and data.
The objectives of this Secure Application Development Standard are:
a. To reduce the risk of security incidents caused by security weaknesses of applications that adversely affect the confidentiality, integrity, and/or availability of Company applications and data
b. To provide a security-related standard for application assessment and risk analysis
CONTENT
1. OVERVIEW
1.1 PROCEDURE OWNER
1.2 CLASSIFICATION
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.5 OBJECTIVES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
3. APPLICATION SECURITY ASSESSMENTS
4. APPLICATION LIFECYCLE
4.1 APPLICATION SECURITY DESIGN REVIEW AND ANALYSIS
4.2 APPLICATION REALIZATION AND TESTING
4.3 PRE-IMPLEMENTATION CONTROLS
4.4 POST-IMPLEMENTATION CONTROLS
5. CORRECT PROCESSING IN APPLICATIONS
5.1 EXTERNALLY-FACING APPLICATIONS
5.2 INPUT DATA VALIDATION
5.3 CONTROL OF PROCESSING
5.4 OUTPUT CONTROLS
6. ACCESS CONTROL IN APPLICATIONS
6.1 AUTHENTICATION
6.2 AUTHORIZATION
6.3 CRYPTOGRAPHY
7. PLATFORMS, LANGUAGES AND TOOLS
8. SECURE PROGRAMMING TECHNIQUES
9. PROTECTION OF APPLICATION TEST DATA
10. PROTECTION AND RETENTION OF SOURCE CODE
11. OUTSOURCED SOFTWARE DEVELOPMENT
12. APPLICATION MONITORING AND LOGGING
13. COMPLIANCE
14. EXCEPTIONS
15. FINAL CONSIDERATIONS
15.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
15.2 DOCUMENT REVISION
Pages: 13
Review Application Security Standard.