Application Security Standards

Application security standards are established by leading industry research and standards bodies to help organizations identify and remove application security vulnerabilities in complex software systems.

Application Security Standards Organizations

The following organizations set security standards for national and international network applications.

ANSI - American National Standards Institute sets standards for the banking industry.
FIPS - Federal Information Processing Standards public standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. FIPS standards are issued to establish requirements for various purposes such as ensuring computer security and inter-operability, and are intended for cases in which suitable industry standards do not already exist. Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
ISO/IEC - International Standards Organization and the International Electrotechnical Commission is an independent, non-governmental international organization with a membership of 162 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.
IETF - Internet Engineering Task Force is an open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet..
CISQ - The Consortium for IT Software Quality is an IT industry leadership group comprised of IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to introducing computable metrics standards for measuring software quality and size. CISQ is a neutral, open forum in which customers and suppliers of IT application software can develop an industry-wide agenda of actions for improving IT application quality to reduce cost and risk.
OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

Application Security Standards

Open Web Application Security Project (OWASP) Top 10 - OWASP Top 10 provides a list of the 10 most critical web application security risks.
Common Weakness Enumeration (CWE) Top 25 – CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software.
Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS provides an actionable framework for developing a robust payment card data security process.
Consortium for IT Software Quality (CISQ) / OMG Automated Source Code Security Measure Standard - MITRE has participated to the CISQ initiative to specify an automated source code security measurement standard, derived from the CWE Top 25 by focusing on automatable measurements. Please also refer to MITRE own communication about their work with the CISQ

Application Security Tools
Application security tools, or Static Analysis Security Tools (SAST), like CAST help organizations leverage these application security standards and to automate the identification and remediation of applications security vulnerabilities. The following series of posts explain CAST’s coverage (static code quality analysis, architectural analysis, code quality analysis) for these application security standards:

[Additional suggested reading : Juliet and OWASP Benchmark Results: How CAST Tests Against 2 Most Important Application Security Standards

False Positive in security – Why We Like to Cry Wolf ]

Filed in: Application Security Risk & Security Software Security

Â This report describes the effects of different industrial factors on structural quality. Structural quality differed across technologies with COBOL applications generally having the lowest densities of critical weaknesses, while JAVA-EE had the highest densities. While structural quality differed slightly across industry segments, there was almost no effect from whether the application was in- or outsourced, or whether it was produced on- or off-shore. Large variations in the densities in critical weaknesses across applications suggested the major factors in structural quality are more related to conditions specific to each application. CRASH Report 2020: CAST Research on the Structural Condition of Critical Applications Report

Open source is part of almost every software capability we use today. At the very least libraries, frameworks or databases that get used in mission critical IT systems. In some cases entire systems being build on top of open source foundations. Since we have been benchmarking IT software for years, we thought we would set our sights on some of the most commonly used open source software (OSS) projects. Software Intelligence Report <> Papers

Making sense of cloud transitions for financial and telecoms firms Cloud migration 2.0: shifting priorities for application modernization in 2019 Research Report

Srinivas Kedarisetty Security Product Owner

Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.