Application Software Security

Introduction

Safeguard 16 - Application Software Security

Procedures

16.1 - Establish and Maintain a Secure Application Development Process

1. Application code will be designed with security in mind, reducing and preventing security vulnerabilities. See Implementing Web Development Site Security for more information.
2. Consider following the Middleware Software Development Standards. While this does not directly increase security, it provides a well documented workflow for software development.
3. All application code is to be reviewed for security vulnerabilities before deployment, preferably using static code analysis tools.
4. All application vulnerabilities are to be resolved before deployment.

Using Static Code Analysis Tools

1. Install a static code analysis tool of your choice. Below are some free, open-source options.
   • VisualCodeGrepper: C, C++, C#, VB, PHP, Java, PL/SQL, and COBOL.
   • Brakeman: Ruby.
   • Flawfinder: C and C++.
   • Bandit: Python.
2. Run the tool. Consult your tool’s documentation for usage instructions.
3. Make changes to fix issues that the tool has found before deployment.
4. Run the tool again to ensure the issues have been solved.

Pentesting

Once an application is set up it is always a good idea to do a vulnerability scan or pentest to ensure everything is configured correctly. Or, you may conduct one yourself with Burpsuite.

1. BurpSuite
2. ITSO Pentesting
3. ITSO Vulnerability Scan

16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities

See this document as one example of a local process.

The university has established a BugBounty program to accept vulnerabilities found.

16.3 - Perform Root Cause Analysis on Security Vulnerabilities

When an vulnerability is found, document the reason why it was a vulnerability, the fix to the vulnerability, and how it was exploited. For example: If there was a data exposure due to a secret key leaked online, document how it accidentally ended up online, that you had to change keys, and what data was leaked due to the mistake.

16.4 - Establish and Manage an Inventory of Third-Party Software Components

When writing software, these third-party components will be in your includes section. To inventory all these includes, you may consider using the applications below.

• Maven
• Cobblestone

16.5 - Use Up-to-date and Trusted Third-Party Software Components

Make sure all Third-Party Software Components from 16.4 are the latest version. Additionally, make sure most third-party components are from reputable sources on GitHub or vendors.

16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

VT is influenced by the MITRE’s CVE scoring policy.

VT also has it’s own vulnerability ratings.

16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure

The Division of IT strongly encourages departments to use the IT Common Platform.

• Platform
• Platform Templates
• Platform Summary

The Common Platform uses Trivy to scan workloads for vulnerabilities.

16.8 - Separate Production and Non-Production Systems

Applications should have different stages they go through to reach production. This ensure minimal errors reach the client facing side. One example of separation is a 3-tier architecture with Development (where changes are made), Test (where testing occurs), and Production (where users can interact with the application) stages.

16.9 - Train Developers in Application Security Concepts and Secure Coding

At Virginia Tech, all developers of medium- and high-risk applications are required to stay up-to-date on the latest security trends by taking a security awareness training at least once per year. VT provides free training for such employees.

Request an Awareness Training Session

1. Log into 4Help.
2. Go to Service Catalog > Security > Awareness Training.
3. Click or tap Request this service.
4. Fill out the request form and click Submit.

16.10 - Apply Secure Design Principles in Application Architectures

Refer to 16.7 and 16.9

16.11 - Leverage Vetted Modules or Services for Application Security Components

Whenever possible, utilize vetted and trusted services. Some existing security components at Virginia Tech include

1. VT login with Duo authentication
2. CLS logging
3. Division of IT Platform

Other

For an example on how one team complies to this security procedure, see ITCP Security Procedures.

If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.edu for a consultation.