Application Software Security

• application
• software
• ig2

Introduction

Safeguard 16 - Application Software Security

Procedures

16.1 - Establish and Maintain a Secure Application Development Process

1. Application code will be designed with security in mind, reducing and preventing security vulnerabilities. See Implementing Web Development Site Security for more information.
2. All application code is to be reviewed for security vulnerabilities before deployment, preferably using static code analysis tools.
3. All application vulnerabilities are to be resolved before deployment.

Using Static Code Analysis Tools

1. Install a static code analysis tool of your choice. Below are some free, open-source options.

• VisualCodeGrepper: C, C++, C#, VB, PHP, Java, PL/SQL, and COBOL.
• Brakeman: Ruby.
• Flawfinder: C and C++.
• Bandit: Python.

2. Run the tool. Consult your tool’s documentation for usage instructions.
3. Make changes to fix issues that the tool has found before deployment.
4. Run the tool again to ensure the issues have been solved.

16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities

This step is under construction.

16.3 - Perform Root Cause Analysis on Security Vulnerabilities

This step is under construction.

16.4 - Establish and Manage an Inventory of Third-Party Software Components

This step is under construction.

16.5 - Use Up-to-date and Trusted Third-Party Software Components

This step is under construction.

16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

This step is under construction.

16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure

This step is under construction.

16.8 - Separate Production and Non-Production Systems

This step is under construction.

16.9 - Train Developers in Application Security Concepts and Secure Coding

At Virginia Tech, all developers of medium- and high-risk applications are required to stay up-to-date on the latest security trends by taking a security awareness training at least once per year. VT provides free training for such employees.

Request an Awareness Training Session

1. Log into 4Help.
2. Go to Service Catalog > Security > Awareness Training.
3. Click or tap Request this service.
4. Fill out the request form and click Submit.

16.10 - Apply Secure Design Principles in Application Architectures

This step is under construction.

16.11 - Leverage Vetted Modules or Services for Application Security Components

This step is under construction.

Other

If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.edu for a consultation.