Application Security Standards

Application security standards are established by leading industry research and standards bodies to help organizations identify and remove application security vulnerabilities in complex software systems.

Application Security Standards Organizations

The following organizations set security standards for national and international network applications.

ANSI - American National Standards Institute sets standards for the banking industry.
FIPS - Federal Information Processing Standards public standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. FIPS standards are issued to establish requirements for various purposes such as ensuring computer security and inter-operability, and are intended for cases in which suitable industry standards do not already exist. Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
ISO/IEC - International Standards Organization and the International Electrotechnical Commission is an independent, non-governmental international organization with a membership of 162 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.
IETF - Internet Engineering Task Force is an open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet..
CISQ - The Consortium for IT Software Quality is an IT industry leadership group comprised of IT executives from the Global 2000, system integrators, outsourced service providers, and software technology vendors committed to introducing computable metrics standards for measuring software quality and size. CISQ is a neutral, open forum in which customers and suppliers of IT application software can develop an industry-wide agenda of actions for improving IT application quality to reduce cost and risk.
OWASP is an international organization and the OWASP Foundation supports OWASP efforts around the world. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

Application Security Standards

Open Web Application Security Project (OWASP) Top 10 - OWASP Top 10 provides a list of the 10 most critical web application security risks.
Common Weakness Enumeration (CWE) Top 25 – CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software.
Payment Card Industry Data Security Standard (PCI DSS) - PCI DSS provides an actionable framework for developing a robust payment card data security process.
Consortium for IT Software Quality (CISQ) / OMG Automated Source Code Security Measure Standard - MITRE has participated to the CISQ initiative to specify an automated source code security measurement standard, derived from the CWE Top 25 by focusing on automatable measurements. Please also refer to MITRE own communication about their work with the CISQ

Application Security Tools
Application security tools, or Static Analysis Security Tools (SAST), like CAST help organizations leverage these application security standards and to automate the identification and remediation of applications security vulnerabilities. The following series of posts explain CAST’s coverage (static code quality analysis, architectural analysis, code quality analysis) for these application security standards:

[Additional suggested reading : Juliet and OWASP Benchmark Results: How CAST Tests Against 2 Most Important Application Security Standards

False Positive in security – Why We Like to Cry Wolf ]

Filed in: Application Security Risk & Security Software Security

Cloud Smart: How to Ensure an Efficient and Secure Journey

Recorded Webinar

Software Intelligence at the core of M&A Advisory

Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.

Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.

Video Interview

Eliminate vulnerabilities while improving performance

CAST AIP was implemented for a Federal Law Enforcement Agency in the US. CAST AIP helped identify and resolve several critical violations and flaws in the software leading to an immediate saving of ~ $250K in software maintenance.

Case Study

Srinivas Kedarisetty Security Product Owner

Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.