Application security standards are established by leading industry research and standards bodies to help organizations identify and remove application security vulnerabilities in complex software systems.
Application Security Standards Organizations
The following organizations set security standards for national and international network applications.
- ANSI - American National Standards Institute sets standards for the banking industry.
- FIPS - Federal Information Processing Standards public standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. FIPS standards are issued to establish requirements for various purposes such as ensuring computer security and inter-operability, and are intended for cases in which suitable industry standards do not already exist. Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
- ISO/IEC - International Standards Organization and the International Electrotechnical Commission is an independent, non-governmental international organization with a membership of 162 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.
- IETF - Internet Engineering Task Force is an open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet..
- CISQ - The Consortium for IT Software Quality is an IT industry leadership group comprised of IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to introducing computable metrics standards for measuring software quality and size. CISQ is a neutral, open forum in which customers and suppliers of IT application software can develop an industry-wide agenda of actions for improving IT application quality to reduce cost and risk.
OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
Application Security Standards
- Open Web Application Security Project (OWASP) Top 10 - OWASP Top 10 provides a list of the 10 most critical web application security risks.
- Common Weakness Enumeration (CWE) Top 25 – CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software.
- Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS provides an actionable framework for developing a robust payment card data security process.
- Consortium for IT Software Quality (CISQ) / OMG Automated Source Code Security Measure Standard - MITRE has participated to the CISQ initiative to specify an automated source code security measurement standard, derived from the CWE Top 25 by focusing on automatable measurements. Please also refer to MITRE own communication about their work with the CISQ
Application Security Tools
[Additional suggested reading : Juliet and OWASP Benchmark Results: How CAST Tests Against 2 Most Important Application Security Standards
Application security tools, or Static Analysis Security Tools (SAST), like CAST help organizations leverage these application security standards and to automate the identification and remediation of applications security vulnerabilities. The following series of posts explain CAST’s coverage (static code quality analysis, architectural analysis, code quality analysis) for these application security standards:
False Positive in security – Why We Like to Cry Wolf ]