Information Security Group
|

Secure Application and Platform

Building such application or platform secure by design, secure by default and keep them secure while in operations requires an engineering approach. A Secure Software and Systems Development lifecycle (SSDLC) enables it. Applications/Platforms and their hosting environments - whether on premise or on cloud - must be secured by considering security in each phase of their lifecycle - from their conception till end-of-life, which include security requirements, security architecture, security design, secure coding/development, secure code review, secure integrations, secure APIs, security testing, secure deployments, secure configurations, secure communications and secure operations.

The applications or platforms or software solutions bought out, integrated, outsourced / contracted for development, hosted on cloud or are cloud based must consider security for engaging vendors or suppliers for application development and management services.

The open source softwares must also be verified for security and licensing terms for use and distribution.

What is required to Publish URL, Web Application, Platform or Mobile App to internet or Production Use

  • Static Source Code Scan and Review
  • Any Open Source Components used, must be verified for currency of the libraries and license conflicts. Legal clearance is necessary for distributing software or application for commercial use.
  • Security Testing or Penetration Testing of target Application
  • Vulnerability Assessment of Servers, Systems, Hosting Infrastructure including review of Security Configurations and hardening level of systems used
  • Security assessment of Production Setup and Devices
  • Closure Certificate issued by ISG TechSec. Exceptions approval with duly approved Risk Acceptance Document (RAD)
  • SSL certificate with secure configuration
  • ISG TechSec approval for DNS entry

How to raise a request

For Security Assessments, a hub request to be raised by system owner

ISG >> ISG - Service Request >> S-066-Event Based VA and PT / WAPT Request

Guidelines and References

  • Build Security In Maturity Model BSIMM (https://www.bsimm.com/)
  • Open Web Application Security Project - OWASP (https://www.owasp.org/index.php/Main_Page)
  • Developing Cyber Resilient Systems: A Systems Security Engineering Approach (NIST SP800-160)
  • Application Security Policy (ISG-PO006)
  • Application Security Checklist (ISG-CL015)
  • Privacy Control Checklist (ISG-CL016)
  • Security Policy for Cloud Deployments (ISG-PO042)
  • Assessment (VA) and Penetration Testing (PT) Policy (ISG-PO029)
  • Vulnerability Management Policy (ISG-PO033)
  • Guidelines for Supplier Security Agreement (ISG-GL020)
  • Secure Code review (or SAST) tool - Fortify SCA and WhiteSource (for Open Source Softwares)
  • Vulnerability Assessment tools -Tenable Nessus, nmap, backtrack
  • Web Application Security Scanners (or DAST) like WebInspect, Burp Suite Pro
  • Sniffer and proxy tools like Burp Suite Pro, Pars Proxy etc.
  • Penetration Testing tools like MetaSploit or Backtrack tool set
  • Vulnerability Management tool -TenableIO
Copyright © Tech Mahindra Limited. All Rights Reserved