QW: Test web and other application code for source code errors prior to deployment using automated source code analysis software, if source code is available. In particular, input validation and output encoding routines of application software should be carefully reviewed and tested.
QW: Test web applications for common security weaknesses using web application scanners prior to deployment and then no less often than weekly as well as whenever updates are made to the application.
Config/Hygiene: Verify that security is embedded in the application development life cycle of all applications.
Config/Hygiene: Protect web applications by deploying web application firewalls that inspect all traffic flowing to the web application for common web application attacks, including but not limited to Cross-Site Scripting, SQL injection, command injection, and directory traversal attacks. For applications that are not web based, deploy specific application firewalls if such tools are available for the given application type.
Procedures and tools for implementing this control:
Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software, along with manual application security penetration testing by testers who have extensive programming knowledge as well as application penetration testing expertise. The Common Weakness Enumeration (CWE) is utilized by many such tools to identify the weaknesses that they find. Organizations can also use CWE to determine which types of weaknesses they are most interested in addressing and removing. A broad community effort to identify the “Top 25 Most Dangerous Programming Errors” is available as a minimum set of important issues to investigate and address. When evaluating the effectiveness of testing for these weaknesses, the Common Attack Pattern Enumeration and Classification (CAPEC) can be used to organize and record the breadth of the testing for the CWEs as well as a way for testers to think like attackers in their development of test cases.
Critical Control 8: Controlled Use of Administrative Privileges