SaFi Bank Space : Application Security

Created by User b6b4a, last modified on Sep 20, 2022

(blue star) Overview

Application security is an important part of SDLC as this ensures the security is embedded within the application by design. Now it is integrated in DevOps process which becomes the commonly called as DevSecOps. The application security is managed in 2 different parallel process, Proactive and Reactive.

Proactive focuses on development of new features or change in the application ensuring proper security controls is in-place. While Reactive focuses on the operations wherein the application is continuously monitored and tested for vulnerabilities, threats, and gaps.

Proactive:

Security Assessment

Security Engineering

Security Development

Security Testing

Security Gap Assessment and Remediation Plan

Reactive:

Vulnerability Monitoring

Vulnerability Intelligence / Incident

Vulnerability Management

Vulnerability Response Playbook

(blue star) Life Cycle

For each new features and change, the application security starts by assessment and engineering which screens, models, and design the security requirements. All identified gaps should be addressed in development and verified on the testing process. Once deployed in production, it is continuously monitored on operations for new threats, vulnerabilities or gaps. Identified items will be handled in vulnerability management process and addressed in Gap Analysis and Remediation Plan process through vulnerability response procedures.

(blue star) Baseline

The application security baseline is made up of guidelines. Each guidelines serves as minimum requirements to consider along the SDLC. Guidelines set the expectations for features or changes what minimum security controls is needed and what level of security is expected based on the screening process.

Baseline:

(blue star) Testing

Application security testing will be performed by internal teams and external 3rd party vendors. The scope, framework, and methodologies is the same. Both should follow OWASP based standard procedures in performing the testing to target scope.

The only difference between 3rd party and internal team will be the strategy. By default, 3rd party will be allowed to perform security test to applications but with security controls in place. The controls can be whitelisted if needed but requires approval and can only be allowed within the agreed time period.

Internal team on the other hand can perform the testing directly to the application without controls but only within agreed time period allowed by the business.

Attachments:

Screen Shot 2022-09-07 at 5.49.29 PM.png (image/png)
Screen Shot 2022-09-07 at 5.50.58 PM.png (image/png)
Screen Shot 2022-09-07 at 5.59.51 PM.png (image/png)
Screen Shot 2022-09-08 at 9.37.31 AM.png (image/png)
Screen Shot 2022-09-08 at 9.37.31 AM.png (image/png)
Screen Shot 2022-09-08 at 9.49.53 AM.png (image/png)
Screen Shot 2022-09-08 at 9.51.42 AM.png (image/png)
Screen Shot 2022-09-08 at 9.54.59 AM.png (image/png)
Screen Shot 2022-09-08 at 9.54.06 AM.png (image/png)
AppSec_Init_Presmat.key (application/octet-stream)