8.26 Application Security Requirements

Information security requirements should be identified, specified and approved when developing or acquiring applications.

Application security requirements in information security refer to a set of guidelines and standards that organisations use to ensure that their software applications are secure and free from vulnerabilities.

Examples of application security requirements include:

• Input validation: Applications must validate all input received from external sources to ensure that it is safe to use and free from malicious code.
• Authentication and access control: Applications must have mechanisms in place to authenticate and authorize users, and to control access to sensitive data and functionality.
• Data encryption: Applications must encrypt sensitive data, both in transit and at rest, to protect it from unauthorised access or disclosure.
• Error handling and logging: Applications must handle errors in a secure manner and must log all security-relevant events for later review.
• Secure coding practices: Applications must be developed using secure coding practices, such as using secure libraries and frameworks, and following guidelines for avoiding common vulnerabilities.
• Penetration testing: Applications must be tested for vulnerabilities using automated tools and manual penetration testing.
• Incident response: Applications must have a plan in place for responding to security incidents, including incident detection, incident response, and incident recovery.