Monday, November 2, 2020

Application Security Policies Ideas

 Application Security Policy ideas. A thread for my #infosec friends ...

Make your policy applicable to all applications (internal, external, 3rd party hosted, custom built, off the shelf, outsourced, etc)

Require configuration management (change controls , CMDB, etc)

Require Testing evidence and approval prior to deployments

Require Vulnerability management and patching on a cadence , make sure to include all 3rd party add-one, libraries, and dependencies

Ensure separate environments for production vs non-production (different servers , different accounts , different databases)

Require Separation of Duties including code reviews performed by someone other than the developer and deployments done by someone other than the developer 

Require logging (authentication, web , database, OS level, administrative logs) , store logs on a secondary system like a SIEM and prevent tampering.

Developers must perform input validation regardless of the source (text fields , url parameters , API parameters, input files, etc )

Passwords must be hashed and salted at rest , encrypted in transit , must meet a complexity policy that includes preventative commonly used ones, and passwords resets should occur using temporary expiring links.

Applications must include access control , at a minimum separating users from administrators.

Applications must follow least privilege for users and service accounts ensuring the accounts only have access to the functionality they require.

Sensitive data must be encrypted at transit and at rest.

Data should never be copied from Production to Non-Production without first being sanitized of sensitive data.

Purge data that is beyond required retention periods , and purge unused code , screens, and dependencies to reduce the attack surface.

Error screens displayed to users  should not display code , technical detail or stack traces .

Administrative screens should not be public facing , but instead require VPN or internal network access to administer.

Contracts with software providers , hosters, development teams , etc should define who owns the data, who owns the compliance requirements, and also include SLAs for vulnerability response , incident notification and response.

Newly on-boarded developers must complete security training and read all security policies prior to writing any code. 

Code reviews must check for the OWASP Top 10.

Source code must be stored in version control that records who made what changes and when.

Test websites should not be publicly exposed but instead require VPN or internal network access.

Email addresses on public facing sites should not be scrape-able to minimize malspam/phishing attack surface.

After any major changes , vulnerability scans must be re-run and the CMDB must be updated.

Require a re-occurring cadence of penetration testing your application from a source outside of your own team.

Have an emergency patching procedure and communication plan in place and test it on a cadence.

Implement all security gardening procedures provided by 3rd parties including at the application , web, database, and OS level.

Monitor and proactively ensure you prevent any end of life , end of support, or licensing restriction issues that could impact your ability to perform incident response.

Document and get the data owner’s approval for any exceptions to the application security policy.

Hope this helps you in your application security policy adventures my #infosec friends!


  1. Thanks, great article… webcam monitoring Software remote support servers is another very good remote deskop client which you can add in the above list. It is an on premise solution which works on all platforms plus works from behind the firewall, hence better security.

  2. Are you in need of finance? we give out guarantee cash at 3% interest rate. Contact us on any kind of finance now: whatsapp Number +918929509036 Dr James Eric Finance Pvt Ltd

  3. Hello to everyone out here, I am here to share the unexpected miracle that happened to me … My name is Susan Christian , I live in London, UK. we got married for more than 9 years and have gotten two kids. thing were going well with us and we are always happy. until one day my husband started to behave in a way i could not understand, i was very confused by the way he treat me and the kids. later that month he did not come home again and he called me that he want a divorce, i asked him what have i done wrong to deserve this from him, all he was saying is that he want a divorce that he hate me and do not want to see me again in his life, i was mad and also frustrated do not know what to do, i was sick for more than 2 weeks because of the divorce. i love him so much he was everything to me without him my life is incomplete. i told my sister and she told me to contact a spell caster, i never believe in all this spell casting of a thing. i just want to try if something will come out of it. i contacted Dr Emu for the return of my husband to me, they told me that my husband have been taken by another woman, that she cast a spell on him that is why he hate me and also want us to divorce. then they told me that they have to cast a spell on him that will make him return to me and the kids, they casted the spell and after 24 hours my husband called me and he told me that i should forgive him, he started to apologize on phone and said that he still live me that he did not know what happen to him that he left me. it was the spell that he Dr Emu casted on him that make him come back to me today, me and my family are now happy again today. thank you Dr Emu for what you have done for me i would have been nothing today if not for your great spell. i want you my friends who are passing through all this kind of love problem of getting back their husband, wife , or ex boyfriend and girlfriend to contact Dr Emu ,if you need his help you can contact him through his private mail: or you can contact him through his website fb page Https:// and you will see that your problem will be solved without any delay.