CIS Control 16 Explained: Application Software Security

CIS Control 16 involves application software security. That means to manage security of in house developed/hosted/acquired software, by establishing a software security lifecycle to prevent, detect and remediate software security weaknesses.

The Importance of Control 16

Application vulnerabilities can arise from various factors, including insecure design, inadequate infrastructure, coding errors, weak authentication and insufficient testing for unexpected conditions. Attackers can exploit these vulnerabilities – such as Structured Query Language injection (SQLi), Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) to access sensitive data or take control of vulnerable assets, which can serve as a launching point for further attacks.

Implementation Groups (IGs)

To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones. 

The Safeguards of Control 16

There are fourteen safeguards in CIS Control 16. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.

Safeguard NumberSafeguard TitleNIST Security FunctionStartingImplementation Group
Safeguard 16.1Establish and Maintain a Secure Application Development ProcessGovernIG2
Safeguard 16.2Establish and Maintain a Process to Accept and Address Software VulnerabilitiesGovernIG2
Safeguard 16.3Perform Root Cause Analysis on Security VulnerabilitiesProtectIG2
Safeguard 16.4Establish and Manage an Inventory of Third-Party Software ComponentsIdentifyIG2
Safeguard 16.5Use Up-to-Date and Trusted Third-Party Software ComponentsProtectIG2
Safeguard 16.6Establish and Maintain a Severity Rating System and Process for Application VulnerabilitiesGovernIG2
Safeguard 16.7Use Standard Hardening Configuration Templates for Application InfrastructureProtectIG2
Safeguard 16.8Separate Production and Non-Production SystemsProtectIG2
Safeguard 16.9Train Developers in Application Security Concepts and Secure CodingProtectIG2
Safeguard 16.10Apply Secure Design Principles in Application ArchitecturesProtectIG2
Safeguard 16.11Leverage Vetted Modules or Services for Application Security ComponentsIdentifyIG2
Safeguard 16.12Implement Code-Level Security ChecksProtectIG3
Safeguard 16.13Conduct Application Penetration TestingDetectIG3
Safeguard 16.14Conduct Threat ModelingProtectIG3