CIS Control 18: Application Software Security

As an organization grows, custom applications are often developed to help with business workflow or other services which are offered to customers. These applications expose the organization to risk. Additionally, if the data stored is customer data, the customers may also be exposed. There are several tools in the market to help with Application Software Security. For example, the non-profit group Open Web Application Security Project® (OWASP) provides information to aid in the detection and mitigation of such risk.

CIS Control 18 states:

“Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

Why Is This CIS Control Critical?

Attacks often take advantage of vulnerabilities found in web-based and other application software. Vulnerabilities can be present for many reasons, including coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions. Examples of specific errors include: the failure to check the size of user input; failure to filter out unneeded but potentially malicious character sequences from input streams; failure to initialize and clear variables; and poor memory management allowing flaws in one part of the software to affect unrelated (and more security critical) portions.

There is a flood of public and private information about such vulnerabilities available to attackers and defenders alike, as well as a robust marketplace for tools and techniques to allow “weaponization” of vulnerabilities into exploits. In one attack, more than 1 million web servers were exploited and turned into infection engines for visitors to those sites using SQL injection. During that attack, trusted websites from state governments and other organizations compromised by attackers were used to infect hundreds of thousands of browsers that accessed those websites. Many more web and non-web application vulnerabilities are discovered on a regular basis.”

Tenable Web App Scanning and Tenable Container Security products provide assistance in the discovery and assessment of application vulnerabilities. However, tools that review the source code should also be used. Detailed analysis tools can be integrated into the build process to assess the software against vulnerable libraries or common coding mistakes. Addressing vulnerable libraries or common mistakes can help address these risks.