This application security policy defines a security framework and requirements for applications, particularly web applications, that the Netspective Communications LLC’s production environment follows. This document also provides instructions and implementing controls for web application security, such as periodic vulnerability scans and other assessments. Administrators and users of applications within the Netspective Communications LLC’s production environment, which often includes employees and contractors, must comply with this policy, which applies to all applications.
-
The Netspective Communications LLC must ensure that all applications it develops and/or acquires are securely configured and managed.
-
The following security best practices must be considered and, if feasible, applied as a matter of the application’s security design:
-
Data handled and managed by the application must be classified in accordance with the Data Classification Policy. [FII-SCF-009-DCH-22.1]
-
If the application processes confidential information, a confidential record banner must be prominently displayed which highlights the type of confidential data being accessed (e.g., personally identifiable information (PII), protected health information (PHI), etc.)
-
Sensitive data, especially data specifically restricted by law or policy (e.g., social security numbers, passwords, and credit card data) should not be displayed in plaintext.
-
Ensure that applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to cross-site scripting, buffer overflow errors, and injection flaws.
-
Ensure that applications execute proper error handling so that errors will not provide detailed system information to an unprivileged user, deny service, impair security mechanisms, or crash the system.
-
Where possible, authorize access to applications by affiliation, membership or employment, rather than by individual. Provide an automated review of authorizations on a regular basis, where possible.
-
Ensure that applications encrypt data at rest and in transit.
-
Implement application logging to the extent practical. Retain logs of all users and access events for at least ?compansoc2pRetainAccessLogsPeriod?.
-
Qualified peers conduct security reviews of code for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of confidential data. Document all actions are taken.
-
Implement a change management process for changes to existing software applications. [FII-SCF-004-CHG-01]
-
The standard configuration of the application must be documented.
-
Default passwords used within the application, such as for administrative control panels or integration with databases must be changed immediately upon installation.
-
Applications must require complex passwords in accordance with current security best practices and should follow the Password policy of the Netspective Communications LLC (at least 8 characters in length, combination of alphanumeric upper/lowercase characters and symbols). [FII-SCF-012-IAC-02]
Passwords Settings
- During development and testing, applications must not have access to live data.
-
-
Where applications are acquired from a third party, such as a vendor: [FII-SCF-012-IAC-05]
-
Only applications that are supported by an approved vendor shall be procured and used.
-
Full support contracts must be arranged with the application vendor for full life-cycle support.
-
No custom modifications may be applied to the application without confirmation that the vendor can continue to provide support.
-
Updates, patches, and configuration changes issued by the vendor shall be implemented as soon as possible.
-
A full review of applications and licenses shall be completed at least annually, as part of regular software reviews.
-
-
Web applications must be assessed according to the following criteria:
-
New or major application releases must have a full assessment prior to the approval of the change control documentation and/or release into the production environment.
-
Third-party or acquired applications must have a full assessment prior to deployment.
-
Software releases must have an appropriate assessment, as determined by the Netspective Communications LLC’s information security manager, with specific evaluation criteria based on the security risks inherent in the changes made to the application’s functionality and/or architecture.
-
Emergency releases may forego security assessments and carry the assumed risk until a proper assessment can be conducted. Emergency releases must be approved by the Chief Information Officer or designee.
-
-
Vulnerabilities that are discovered during application security assessments must be mitigated based upon the following risk levels, which are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. [FII-SCF-027-VPM-06]
-
High: issues categorized as high risk must be fixed immediately, otherwise alternate mitigation strategies must be implemented to limit exposure before deployment. Applications with high-risk issues are subject to being taken off-line or denied release into the production environment.
-
Medium: issues categorized as medium risk must be reviewed to determine specific items to be mitigated. Actions to implement mitigation’s must be scheduled. Applications with medium-risk issues may be taken off-line or denied release into the production environment based on the number of issues; multiple issues may increase the risk to an unacceptable level. Issues may be fixed in patch releases unless better mitigation options are present.
-
Low: issues categorized as low risk must be reviewed to determine specific items to be mitigated. Actions to implement mitigation’s must be scheduled.
Security Test Reports
-
-
Testing is required to validate fixes and/or mitigation strategies for any security vulnerabilities classified as Medium risk or greater. [FII-SCF-018-PRI-08]
-
The following security assessment types may be leveraged to perform an application security assessment:
-
Full: Comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment must leverage manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered issues.
-
Quick: Consists of an automated scan of an application for, at a minimum, the OWASP Top Ten web application security risks.
-
Targeted: Verifies vulnerability remediation changes or new application functionality.
-
Top Security considerations for the software development life cycle, including system development, acquisition, and maintenance are defined in the Software Development Lifecycle Policy. [FII-SCF-019-PRM-07]
-
Security requirements for handling information security incidents are defined in the Security Incident Response Policy. [FII-SCF-013-IRO-01]
Sample incident response ticket
-
Disaster recovery and business continuity management policy are defined in the Disaster Recovery Policy. [FII-SCF-003-BCD-01]
Disaster Recovery Test Reports
-