Application and Software Security ensures the secure development and maintenance of applications, addressing security vulnerabilities throughout the software development lifecycle. This includes implementing secure coding practices, performing code reviews, and using security tools to detect and mitigate vulnerabilities in the application. By embedding security into the development process, organisations can prevent vulnerabilities in their software before they are exploited by malicious actors.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 10.1: Adopt Secure Coding Practices

Does your enterprise ensure that secure coding practices are followed during application development?
Example: Developers follow guidelines such as OWASP’s Secure Coding Practices to ensure that common vulnerabilities (e.g., SQL injection, cross-site scripting) are mitigated during the coding process.

Measure 10.2: Implement Basic Vulnerability Testing and Scanning

Does your enterprise conduct basic vulnerability testing or use tools to scan your applications for known vulnerabilities?
Example: Use free or low-cost vulnerability scanning tools like OWASP ZAP to identify and address vulnerabilities in code before deployment.

Measure 10.3: Perform Manual Code Reviews

Does your enterprise perform regular manual code reviews to check for security flaws?
Example: Conduct peer reviews where developers assess each other’s code for security issues and ensure that security best practices are followed.

Measure 10.4: Educate Development Teams on Security Awareness

Does your enterprise provide basic security awareness training to developers to help them identify and address security flaws during the development process?
Example: Provide online training courses or resources on secure coding practices for your development team, and make sure they understand common security threats and how to avoid them.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 10.5: Integrate Security Testing into the CI/CD Pipeline

Does your enterprise integrate security testing into your continuous integration/continuous deployment (CI/CD) pipeline?
Example: Use security tools such as Checkmarx in your CI/CD pipeline to automatically scan for vulnerabilities during the software build and deployment process.

Measure 10.6: Use Static Application Security Testing

Does your enterprise use Static Application Security Testing tools to analyse your codebase for vulnerabilities before the application is deployed?
Example: Use tools such as Veracode, Fortify, or SonarQube to perform static code analysis and identify vulnerabilities in the source code early in the development cycle.

Measure 10.7: Perform Dynamic Application Security Testing

Does your enterprise perform Dynamic Application Security Testing to identify vulnerabilities during the runtime of the application?
Example: Regularly test web applications using tools like Netsparker or Qualys to identify and remediate issues such as cross-site scripting (XSS) and other runtime vulnerabilities.

Measure 10.8: Establish Security Code Review Procedures

Does your enterprise implement a structured and formal code review process that includes a focus on security?
Example: Set up a policy where all code changes are reviewed by senior developers or security experts, focusing on security issues, and ensure that code is tested for vulnerabilities before being deployed to production.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 10.9: Establish a Secure Software Development Lifecycle

Does your enterprise have a fully integrated Secure Software Development Lifecycle that incorporates security throughout each phase of development?
Example: Implement a formal SDLC process that includes security requirements at each phase of development (e.g., planning, design, coding, testing, deployment) and incorporates continuous security assessments.

Measure 10.10: Implement Automated Security Testing for Every Release

Does your enterprise automate security testing for every release to ensure vulnerabilities are identified before production?
Example: Use automated tools like Veracode, WhiteHat Security, or Contrast Security to continuously test applications for security flaws during each release cycle, ensuring no vulnerabilities are missed.

Measure 10.11: Conduct Regular Penetration Testing

Does your enterprise perform regular, comprehensive penetration testing to identify potential weaknesses in your application’s security?
Example: Hire a third-party penetration testing firm to conduct annual tests that simulate real-world attacks and uncover any exploitable vulnerabilities in your application.

Measure 10.12: Provide Advanced Security Training for Development Teams

Does your enterprise offer advanced, role-specific security training to developers to keep them updated on the latest threats and secure coding techniques?
Example: Send your development team to advanced training on topics such as secure code review, threat modelling, and ethical hacking. Ensure that they are knowledgeable about the latest vulnerabilities and mitigation techniques.

Measure 10.13: Integrate Security Monitoring in Applications

Does your enterprise embed security monitoring and logging within the application to detect and respond to threats in real time?
Example: Use security monitoring tools like Splunk to log application activity and monitor for unusual behaviours, ensuring that you can detect and respond to security threats as soon as they occur.

———————————————————————————————————