II.C.17 Application Security
Management should use applications that have been developed following secure development practices and that meet a prudent level of security. Management should develop security control requirements for all applications, whether the institution acquires or develops them. Information security personnel should be involved in monitoring the application development process to verify that secure development practices are followed, security controls are implemented, and information security needs are met.
Institutions and their customers use a wide variety of applications. Such applications include core banking applications, web applications, and installable applications (e.g., downloadable mobile applications).
A secure software development life cycle ensures that Internet- and client-facing applications have the necessary security controls. The institution should ensure that all applications are securely developed. To verify the controls have been developed and implemented appropriately, management should perform appropriate tests (e.g., penetration tests, vulnerability assessments, and application security tests) before launching or making significant changes to external-facing applications. Issues noted from tests should be remediated before launching applications or moving changes into production. At institutions that employ third parties to develop applications, management should ensure that the third parties meet the same controls.
Applications should provide the ability for management to do the following:
- Implement a prudent set of security controls (e.g., password and audit policies), audit trails of security and access changes, and user activity logs for all applications.
- Establish user and group profiles for applications if not part of a centralized identity access management system.
- Change and disable default application accounts upon installation.
- Review and install patches for applications in a timely manner.
- Implement validation controls for data entryData entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. and data processing.Data processing controls include batch control totals, hash totals of data for comparison after processing, identification of any changes made to data outside the application (e.g., data-altering utilities), and job control checks to ensure programs run in correct sequence.
- Integrate additional authentication and encryption controls, as necessary, to ensure integrity and confidentiality of data and non-repudiation of transactions.
- Protect web or Internet-facing applications through additional controls, including web application firewalls, regular scanning for new or recurring vulnerabilities, mitigation or remediation of common security weaknesses, and network segregation to limit inappropriate access or connections to the application or other areas of the network.
- Mitigate risks from potential flaws in applications allowing remote access by customers and others through network, host, and application layer architecture considerations.
- Obtain attestation or evidence from third-party developers that the application acquired by the institution meets the necessary security requirements and that noted vulnerabilities or flaws are remediated in a timely manner.
- Perform ongoing risk assessments to consider the adequacy of application-level controls in light of changing threat, network, and host environments.
- Implement minimum controls recommended by the third-party service provider and consider supplemental controls as appropriate.
- Review available audit reports, and consider and implement appropriate control recommendations
- Collect data to build metrics and reporting of configuration management compliance, vulnerability management, and other measurable items as determined by management.
Whether the institution acquires or develops applications, management should establish security control requirements for new systems, system revisions, or new system acquisitions. Management should define the security control requirements based on its risk assessment process and evaluate the value of the information at risk and the potential impact of unauthorized access or damage within existing software development and acquisition processes. Management should have a process to determine risks posed by the system and necessary security requirements. Management may also refer to published, widely recognized industry standards as a starting point for establishing the institution's security requirements.
Information security personnel should be involved from the outset in the application development process to determine whether security controls are designed, tested, and implemented and information security needs are being met. Monitoring the development environment can help ensure that the implemented controls are functioning properly. Institutions that purchase applications typically rely on third-party service providers to develop applications with appropriate security built-in; management, however, should perform its own verification to determine whether the application meets the institution's security requirements. Management should analyze the environment where the application will reside. As the environment changes, the security requirements and assurance needs for the application may also change. Management should leverage available resourcesResources include software tools, industry resources, specific certifications, and education courses. to assist in risk identification and improve the institution's application security practices.
II.C.16(a) Customer Awareness
II.C.18 Database Security