Back

Conduct application security reviews, as necessary.


CONTROL ID
06298
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an application security policy., CC ID: 06438

This Control has the following implementation support Control(s):
  • Include all vulnerabilities in the application security review., CC ID: 12036
  • Assign application security reviews for web-facing applications to an organization that specializes in application security., CC ID: 12035
  • Correct all found deficiencies according to organizational standards after a web application policy compliance review., CC ID: 06299
  • Re-evaluate the web application after deficiencies have been corrected., CC ID: 06300


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A cyber inspector may monitor and inspect any activity on an Information System in the public domain or website and report any unlawful activity to the appropriate authority. (§ 94(1)(a), The Electronic Communications and Transactions Act, 2002)
  • Ensuring that the information security function has reviewed the security of the application (Critical components of information security 11) c.2. Bullet 5, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An application security review/testing, initially and during major changes, needs to be conducted using a combination of source code review, stress loading, exception testing and compliance review to identify insecure coding techniques and systems vulnerabilities to a reasonable extent. (Critical components of information security 11) c.30., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks need to ensure suitable security measures for their web applications and take reasonable mitigating measures against various web security risks indicated earlier in the chapter. (Critical components of information security g) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Infrastructure and software analysis (Critical components of information security 22) iii. Bullet 8, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should ensure that there is a high degree of system and data integrity for all systems. The FI should exercise due diligence in ensuring its applications have appropriate security controls, taking into consideration the type and complexity of services these applications provide. (§ 6.3.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Software bugs or vulnerabilities are typically targeted and exploited by threat actors to compromise an IT system, and they often occur because of poor software development practices. To minimise the bugs and vulnerabilities in its software, the FI should adopt standards on secure coding, source cod… (§ 6.1.1, Technology Risk Management Guidelines, January 2021)
  • Perform web application scanning and source code analysis to help detect web vulnerabilities. Vulnerabilities to look out for could include those in the Open Web Application Security Project (OWASP) "Top Ten" list or similar. (Annex A2: Websites and Web Application Security 30, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Verify that public-facing web applications are reviewed at least annually or after any changes. (§ 6.6 Bullet 1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview personnel, examine documented processes, and examine the records of application security assessments to verify that public-facing web applications are reviewed, with either a manual or automated vulnerability security assessment tool, at least annually. (Testing Procedures § 6.6 Bullet 1 Dash 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel, examine documented processes, and examine the records of application security assessments to verify that public-facing web applications are reviewed, with either a manual or automated vulnerability security assessment tool, after any changes. (Testing Procedures § 6.6 Bullet 1 Dash 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel, examine documented processes, and examine the records of application security assessments to verify that public-facing web applications are reviewed, with either a manual or automated vulnerability security assessment tool, by organizations specializing in application security. (Testing Procedures § 6.6 Bullet 1 Dash 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel, examine documented processes, and examine the records of application security assessments to verify that public-facing web applications are reviewed, with either a manual or automated vulnerability security assessment tool, for all vulnerabilities stated in Payment Card Industry… (Testing Procedures § 6.6 Bullet 1 Dash 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review public-facing web applications via manual or automated application vulnerability security assessment tools or methods. (§ 6.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that public-facing web applications are reviewed at least annually or after any changes. (§ 6.6 Bullet 1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • New threats and vulnerabilities for public-facing web applications must be addressed on an ongoing basis to ensure they are protected against known attacks by using a manual or automatic application vulnerability security assessment tool to review public-facing web applications at least annually and… (PCI DSS Requirements § 6.6 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability… (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability… (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: (6.4.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • If manual or automated vulnerability security assessment tools or methods are in use, examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed in accordance with all elements of this requirem… (6.4.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: (6.4.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: (6.4.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: (6.4.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The organization should test all web software and application software, in-house developed and third-party procured, for malware insertion and coding errors before deployment using automated static code analysis software. If the source code is not available, the compiled code should be tested with s… (Critical Control 6.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should test third-party procured and in-house developed web applications for common security weaknesses before deployment, after changes are made, and on a regular basis using an automated web application scanner. (Critical Control 6.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and up… (CIS Control 16: Safeguard 16.1 Establish and Maintain a Secure Application Development Process, CIS Controls, V8)
  • The organization should periodically conduct threat and vulnerability testing, security penetration testing, and web vulnerability testing. (Table Ref 8.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk. (CA.3.162, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk. (CA.3.162, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk. (CA.3.162, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Reviews mitigation of potential flaws in applications. (App A Objective 6.28.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Provide a prudent level of security (e.g., password and audit policies), audit trails of security and access changes, and user activity logs. (App A Objective 6.27.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Whether internal audit or other third-party have conducted a security review. (App A Tier 2 Objectives and Procedures C.2 Bullet 9, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Has a compliance review been conducted on the website? (IT - General Q 45, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include regulatory compliance of website content, e-forms, e-statements, applications, etc.? (IT - Policy Checklist Q 16, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has a compliance review of the website been completed by the internal compliance officer or a reputable third party compliance expert? (IT - Web Site Review Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy. (T0178, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy. (T0178, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)