Safeguard 16 - Application Software Security
16.1 - Establish and Maintain a Secure Application Development Process
- Application code will be designed with security in mind, reducing and preventing security vulnerabilities. See Implementing Web Development Site Security for more information.
- Consider following the Middleware Software Development Standards. While this does not directly increase security, it provides a well documented workflow for software development.
- All application code is to be reviewed for security vulnerabilities before deployment, preferably using static code analysis tools.
- All application vulnerabilities are to be resolved before deployment.
Using Static Code Analysis Tools
- Install a static code analysis tool of your choice. Below are some free, open-source options.
- VisualCodeGrepper: C, C++, C#, VB, PHP, Java, PL/SQL, and COBOL.
- Brakeman: Ruby.
- Flawfinder: C and C++.
- Bandit: Python.
- Run the tool. Consult your tool's documentation for usage instructions.
- Make changes to fix issues that the tool has found before deployment.
- Run the tool again to ensure the issues have been solved.
Once an application is set up it is always a good idea to do a vulnerability scan or pentest to ensure everything is configured correctly. Or, you may conduct one yourself with Burpsuite.
16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities
See this document as one example of a local process.
The university has established a BugBounty program to accept vulnerabilities found.
16.3 - Perform Root Cause Analysis on Security Vulnerabilities
When an vulnerability is found, document the reason why it was a vulnerability, the fix to the vulnerability, and how it was exploited. For example: If there was a data exposure due to a secret key leaked online, document how it accidentally ended up online, that you had to change keys, and what data was leaked due to the mistake.
16.4 - Establish and Manage an Inventory of Third-Party Software Components
When writing software, these third-party components will be in your
includes section. To inventory all these includes, you may consider using the applications below.
16.5 - Use Up-to-date and Trusted Third-Party Software Components
Make sure all Third-Party Software Components from 16.4 are the latest version. Additionally, make sure most third-party components are from reputable sources on GitHub or vendors.
16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
VT is influenced by the MITRE's CVE scoring policy.
VT also has it's own vulnerability ratings.
16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure
The Division of IT strongly encourages departments to use the IT Common Platform.
The Common Platform uses Trivy to scan workloads for vulnerabilities.
16.8 - Separate Production and Non-Production Systems
Applications should have different stages they go through to reach production. This ensure minimal errors reach the client facing side. One example of separation is a 3-tier architecture with Development (where changes are made), Test (where testing occurs), and Production (where users can interact with the application) stages.
16.9 - Train Developers in Application Security Concepts and Secure Coding
At Virginia Tech, all developers of medium- and high-risk applications are required to stay up-to-date on the latest security trends by taking a security awareness training at least once per year. VT provides free training for such employees.
Request an Awareness Training Session
- Log into 4Help.
- Go to Service Catalog > Security > Awareness Training.
- Click or tap Request this service.
- Fill out the request form and click Submit.
16.10 - Apply Secure Design Principles in Application Architectures
Refer to 16.7 and 16.9
16.11 - Leverage Vetted Modules or Services for Application Security Components
Whenever possible, utilize vetted and trusted services. Some existing security components at Virginia Tech include
For an example on how one team complies to this security procedure, see ITCP Security Procedures.
If you have questions that are not covered in these procedures, please contact the VT IT Security Office email@example.com for a consultation.