New Introductory Security Guide is Published for Web Application Development

The Guide complements Administrative Decision No. 641/2021, which established the Minimum Information Security Requirements for the National Public Sector and is aimed at those who carry out software development functions, IT supervisors, and Technology and Information Security areas.

The Guide addresses the secure development of web apps throughout the entire life cycle, and is divided into seven stages, providing recommendations for each stage:

1. Project start: the Guide recommends parting from the premise that the developed application will be attacked periodically and that some of these attacks may be successful. Thus, the Guide suggests involving the security team from the get-go.

2. Analysis of the requirements: The Guide recommends identifying elements requiring special consideration due to their value for the organization. In addition, it makes recommendations on security requirements, privacy requirements and arbitrary requirements, and establishing priorities.

3. System design: The Guide suggests applying the following safety design principles: (i) minimizing the attack surface; (ii) designing it with maintenance in mind; (iii) identifying the weakest link; (iv) default security; (v) usability maintenance; (vi) authorization requirement by default; (vii) least privilege; (viii) separation of responsibilities and roles; (ix) in-depth defense; (x) insufficient controls on the client; (xi) help administrators; (xii) designs without secrets; and (xiii) threat modeling.

4. Implementation: At this stage, the need to establish a criterion for the range of errors and failures is highlighted, considering their priority and the severity of the defects they generate, as well as the recommendation to use control tools such as Git, Subversion, Mercurial and CVS.

5. Testing: The Guide recommends starting security testing in parallel to the development stage, prioritizing the most critical components of the application. Likewise, it recommends conducting penetration tests and manual code audits. It also provides preventions if the tests are outsourced.

6. Production: The main recommendations for the deployment of the application are the segregation of environments and the hardening of equipment.

7. Maintenance: The Guide recommends maintaining security levels during the operation of the application and suggests the implementation of a back-up protocol, periodic security monitoring and alerts, offering a channel for reporting failures, errors and vulnerabilities and the consideration of the privacy of the stored data when eliminating the application.

The Guide includes two Exhibits to show the most prevalent types of attacks, how to prevent them, and how to increase security levels. The first Exhibit contains an Introduction to OWASP Top Ten, an awareness document for developers and web application security; and the second, an Introduction to BSIMM (Building Security In Maturity Model), a maturity model that serves to guide an organization that develops software with actions it can take to make it more secure.