Overview of Control 18

00:00

Hey, everyone, welcome back to the core. So in the last video, we took a look at control number 17 and how it maps to the new cybersecurity framework

00:08

and this video. We're gonna talk about control number 18 which is application software security.

00:15

So when we talk about applications, software security, we're talking about poorly designed software or inherently vulnerable software. So using bad libraries use unknown vulnerabilities. Aziz well, is not doing proper input validation. So when we think of applications offer security one of the easiest things to think of

00:35

is it a loss Top 10 list, right?

00:37

Showing us that, Yes, these are the various vulnerabilities that are commonly exploited.

00:43

So let's take a look at the sub controls for this one.

00:46

So some control 18 1 We want to make sure we established secure coding practices with our development team. So in, ah, in whatever language is that the development team is using, we just want to make sure that there's doing it from a secure coding

01:03

aspect and not just writing the software to write it right.

01:08

Sub control 18. To ensure that explicit air checking is actually performed for anything that's developed in house.

01:18

Now, what you also want to do is you want to document any type of testing that you've done on. So

01:23

this exclusive they're checking. We're talking about input here, right? So we're gonna make sure that we check for things like the size if we put in various data types acceptable, acceptable ranges, acceptable format, etcetera. So we want to make sure we're checking that for any heirs before we actually roll out the software.

01:45

Some control. 18 3 Verify that any acquired software is actually still supported. So I should work for healthcare company

01:52

where

01:53

the software itself hadn't been supported for.

01:57

Oh, it was I was, like, over 10 years. I think we're like, 15 years. It was very old software that they were still using it on their production network.

02:06

And the company that actually had written software went out of business. So obviously there was no updates. There was no hardening of the software. So you just want to make sure that number one is still supported software on the number two. Does that company have a likelihood of sticking around or not? And you can't control that aspect of it, But

02:23

think through what happens if they go out of business? Are you? Do you? Is there another solution out there you could buy? If so, is there extra cost to that? That's not inside your budget. So think through all those things when you're acquiring that software.

02:37

Some control 18 4 only use up to date and trusted third party components. So again, going back to our thinking about people that download APS just cause they want to get, like the lower priced app from some third party, make sure that this actually trusted. If it's not, go to like the APP store and download it right cause you're less likely.

02:54

No. 100%. But you're less likely to have Mauer on a happy gift from the

02:59

like Thea the Apple store compared to something you download from joe Schmo dot com. Right,

03:07

So Control 18 5 He's only standardised and extensively reviewed encryption algorithm, so basically used the encryption algorithms that are commonly in use at the particular time that you're watching this video. So right now it's, you know, things like a e s encryption, but based on when you're watching this video in sometime in the future,

03:27

it could be a different encryption algorithm that you're using

03:32

some control. 18 6 Insure that the software development personnel are actually traded. Secure coding, Right. So going back to secure coding best practices,

03:40

you want to make sure people are actually trained properly so they naturally know how to do best practices was secure coding. So that way don't they don't to keep Googling stuff, right? So just because you tell somebody do this through this one time doesn't mean they learned it. So actually trained people to make sure they understand how to secure the software better

04:00

some control. 18 7 Apply static and dynamic code analysis. So number one look at your code, right? So with static analysis, we're looking at the code itself and then dynamic code analysis were looking Yet what does the code actually do when we run it?

04:14

Does it function properly? Is a throwing error messages? What's going on with it?

04:19

Some control 18 8 established process to accept an address Reports of any suffer vulnerabilities. So a lot of companies may have a bug bounty program. So if you're getting that type of reporting that, see that you establishing a process for when people find vulnerabilities with your software, they report him to you through that process, and you may be

04:38

send him a T shirt or you pay them some money or whatever. The case might be.

04:43

Some control 89 Separate the production and not production systems. We talked about this before, right, having a production environment as well as some kind of a test environment for you to do like software updates, etcetera, and see if anything breaks before you roll it over to production.

05:00

Some control. 18 10 So deploying a Web application firewall,

05:05

especially if you're in the cloud environment. You want to make sure that you are deploying laughs throughout your cloud infrastructure.

05:15

Some control. 18 11. Make sure using hardening configuration templates for databases Eventually. Again, we're going back to just hardening things up.

05:24

And when we're talking from the application standpoint, when we've got applications that are relying on a specific database, we want to make sure that we're using these hardening templates.

05:34

Ah,

05:35

and also making sure that

05:39

any systems we have

05:42

there's actually a that they're actually part of, like a critical business process, right? So if they're part of a critical business process and we're running the applications on them. We want to make sure we test those systems to make sure that their hard earned enough for us to use.

06:00

So this video would have talked about C. I s control number 18. In the next video, we're gonna talk about