The OWASP Application Security Verification Standard is used in the development of web applications.
Prevent the introduction and execution of malicious code within applications by enforcing secure coding practices. For example, perform regular code reviews, static and dynamic security testing, and implement dependency scanning to detect supply chain risks; Restrict the use of untrusted third-party components and libraries, ensuring integrity verification before integration; Continuously monitor application behavior for anomalies and unauthorized code execution to mitigate potential threats.
V10.1 Code Integrity Controls Use version control systems (VCS) like Git to manage code changes and ensure that code changes are tracked and reviewed. Implement digital signatures and code signing to ensure that the deployed code matches the original source and has not been tampered with. Employ code integrity checks during the build process, using automated tools to verify that no unauthorized modifications have been made to the code before deployment. Review code dependencies and libraries for authenticity and security to ensure that no vulnerable or unauthorized code is included. V10.2 Malicious Code Search Integrate static and dynamic analysis tools into the development and deployment pipeline to automatically scan for malicious code such as backdoors, ransomware, or other malware. Regularly conduct manual code reviews and employ automated scanning tools to detect and remove malicious or suspicious code from the application codebase. Use threat intelligence feeds to stay informed about known malicious code patterns and vulnerabilities that could impact your codebase. V10.3 Deployed Application Integrity Controls Monitor deployed applications using integrity verification mechanisms such as file integrity monitoring (FIM) to detect any unauthorized modifications to the application or its components in production. Implement continuous integrity checks by comparing the deployed code and configuration with the expected state from source control to identify discrepancies. Ensure that runtime application self-protection (RASP) is implemented to continuously monitor and defend against unauthorized changes or attacks on deployed applications. By implementing code integrity controls, regular malicious code scans, and deployed application integrity checks, organizations can protect their applications from tampering, unauthorized modifications, and malware attacks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-10-01-01 | Enforce secure coding practices | Ensure developers follow secure coding practices to prevent backdoors and malware injection, including validating inputs, using secure libraries, and avoiding unsafe coding patterns. | Development | Security Engineers, Software Developers |
| SSS-02-11-10-01-02 | Verify third-party dependencies for supply chain security | Conduct thorough checks on third-party dependencies and libraries to ensure they are free from known vulnerabilities and malware. Use trusted sources and maintain a software bill of materials (SBOM). | Development | DevOps Teams, Security Teams |
| SSS-02-11-10-01-03 | Conduct regular vulnerability scanning | Perform regular vulnerability scanning on codebases to identify potential security flaws, misconfigurations, or vulnerabilities that could be exploited by attackers. | Development | Security Teams, Quality Assurance |
| SSS-02-11-10-01-04 | Prevent unsafe use of deserialization | Avoid unsafe deserialization techniques that can lead to remote code execution or other vulnerabilities. Ensure that deserialization processes are secure and input is properly validated. | Development | Security Engineers, Software Developers |
| SSS-02-11-10-01-05 | Implement software composition analysis (sca) | Use software composition analysis tools to detect vulnerable dependencies in the codebase, ensuring that third-party components do not introduce risks into the application. | Deployment | Security Teams, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |