September 11, 2021

App Development Security Assurance

I’m looking for assurance from our dev team around the security of in-house developed apps in order for them to support processing PII data. I’ve started drawing up areas for consideration, including:

* Evidence of coding practices that are geared towards security
* 3rd party libraries maintenance
* Code storage, accessibility and audit
* Data management – classification, encryption, key management
* Application authentication, authorisation & audit – app RBAC controls
* SDLC – Testing & release processes (testing for security)

Are there any published frameworks, development assurance models or other such reference material that I could use to ensure I am asking all the right questions?

And do I take the responses to these questions at face value? Short of examining the code myself I’m not sure what else I can do. I guess I’m looking for evidence that they actually have secure coding practices in place – documented coding standards, for example?

Comments

G4PRO

Even though it isn’t specific to app development I would look into iso 27001 and maybe specifically for 27003 and 27005 to ensure security and risk management

philthechill

Yes look up BSIMM and OWASP SAMM for two good maturity models.

Consistent_Access865

It would be good to bring in a security organization that can perform what is called ‘source code reviews’. Usually pen test vendors can do this and they basically look at all the source code itself for the companies apps, perform actions in the app, and look at how the app handles requests and sends responses. They can also tell you if any of the code itself is incorrect from a security point of view and make recommendations on how to do it better at the code level.

​

In the end, never trust your devs. Always have a 3rd party verify what they tell you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.