Application Software Security
CIS Control 18This is a organizational Control
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
Why is this CIS Control critical?
Attacks often take advantage of vulnerabilities found in web-based and other application software. Vulnerabilities can be present for many reasons, including coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions. Examples of specific errors include: the failure to check the size of user input; failure to filter out unneeded but potentially malicious character sequences from input streams; failure to initialize and clear variables; and poor memory management allowing flaws in one part of the software to affect unrelated (and more security critical) portions.
There is a flood of public and private information about such vulnerabilities available to attackers and defenders alike, as well as a robust marketplace for tools and techniques to allow “weaponization” of vulnerabilities into exploits. Attackers can inject specific exploits, including buffer overflows, Structured Query Language (SQL) injection attacks, cross-site scripting, cross-site request forgery, and click-jacking of code to gain control over vulnerable machines. In one attack, more than 1 million web servers were exploited and turned into infection engines for visitors to those sites using SQL injection. During that attack, trusted websites from state governments and other organizations compromised by attackers were used to infect hundreds of thousands of browsers that accessed those websites. Many more web and non-web application vulnerabilities are discovered on a regular basis.
- Establish secure coding practices appropriate to the programming language and development environment being used.
- Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.
Want to implement this organizational Control?
Information Hub : CIS Controls
Media mention • 20 Aug 2019
Blog post • 20 Aug 2019
Press-release • 19 Aug 2019
Blog post • 15 Aug 2019