Web Application Security Policy

1.0 Purpose

Web application vulnerabilities ~~account~~represent ~~for~~a ~~the largest portion of~~primary attack ~~vectors~~vector ~~outside~~and ofpose ~~malware.~~significant Itrisks to organizational security. Identifying and remediating vulnerabilities resulting from misconfigurations, coding errors, weak authentication, improper error handling, or information leakage is crucial ~~that~~before ~~any~~applications ~~web~~are ~~application~~deployed beor ~~assessed~~updated. ~~for vulnerabilities and any vulnerabilities be remediated prior to production deployment.~~

The purpose of this policy is to define the mandatory requirements for conducting web application security assessments within ~~<Company~~the ~~Name>.~~organization. ~~Web~~This ~~application~~policy ~~assessments~~aims to ensure that potential weaknesses are ~~performed to identify potential or realized weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc.~~ ~~Discovery~~identified and ~~subsequent~~mitigated, ~~mitigation of these issues will limit~~limiting the attack surface of ~~<Company~~web ~~Name> services available both internally~~applications and ~~externally~~services, asprotecting ~~well~~organizational asdata, ~~satisfy~~and ensuring compliance with ~~any~~ relevant ~~policies~~security instandards ~~place.~~and change control processes.

2.0 Scope

This policy ~~covers~~applies to all web applications developed, deployed, hosted, or managed by the organization, whether internal or external-facing. It applies to all individuals, groups, departments, and third-party vendors involved in the development, deployment, management, or assessment of these web applications. All web application security assessments requested ~~by any individual, group~~ or ~~department~~performed ~~for~~within the ~~purposes~~organization fall under the scope of ~~maintaining~~this policy.

3.0 Policy Statements

3.1 Assessment Requirement and Authority

* All web applications within the ~~security posture, compliance, risk management, and change control~~scope of ~~technologies~~this inpolicy ~~use~~are atsubject ~~<Company~~to ~~Name>.~~

security

assessments

~~All~~defined ~~web~~herein.
* Web application security assessments ~~will~~must be performed only by ~~delegated~~designated and qualified security ~~personnel~~personnel, either employed or contracted by ~~<Company~~the ~~Name>~~organization (hereafter referred to as the "Assessment Team").
* ~~All~~Assessment findings are considered confidential organizational information and ~~are to~~must be distributed ~~to persons~~strictly on a ~~“need~~"need-to-know" basis to ~~know”~~personnel ~~basis.~~involved in ~~Distribution~~the ofapplication's ~~any~~development, ~~findings~~management, ~~outside~~or ofremediation ~~<Company~~efforts. ~~Name>~~External distribution is ~~strictly~~ prohibited ~~unless~~without ~~approved~~explicit byexecutive ~~the~~approval (e.g., Chief Information ~~Officer.~~Officer).

3.2 Assessment Triggers and Scope

~~Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited.~~ ~~Limitations and subsequent justification will be documented prior to the start of the assessment.~~

~~4.1~~ Web applications ~~are~~must ~~subject to~~undergo security assessments based on the following criteria:

**New or Major Application ~~Release~~Release:** –A ~~will~~**Full beAssessment** ~~subject~~is torequired a*before* ~~full assessment prior to~~final approval ofin the change control ~~documentation~~process ~~and/or~~and ~~release~~deployment into the ~~live~~production environment.

~~Third~~ **Third-Party or Acquired Web ~~Application~~Application:** –A ~~will~~**Full beAssessment** is required before integration into the organization's environment or network. Post-assessment, the application is subject to ~~full~~all ~~assessment~~requirements ~~after~~of ~~which~~this itpolicy.
* ~~will be bound to policy requirements.~~

**Point Releases –(Minor ~~will~~Functional beChanges):** ~~subject to an~~An appropriate assessment level (**Targeted** or **Quick**, potentially **Full** depending on risk) is required, determined by the Assessment Team based on the scope and potential security impact of the changes.
* **Patch Releases (Bug Fixes, Minor Updates):** An appropriate assessment level (**Targeted** or **Quick**) is required, determined by the Assessment Team based on the risk ofassociated with the ~~changes~~patches ~~in the application functionality and/~~or ~~architecture.~~

fixes.

~~Patch~~Security ~~Releases~~patches –addressing ~~will~~known vulnerabilities require **Targeted** validation testing.
* **Emergency Releases:** In documented emergency situations requiring immediate deployment, a security assessment may be ~~subject~~temporarily tobypassed anwith ~~appropriate~~explicit ~~assessment~~approval ~~level based on the risk of the changes to the application functionality and/or architecture.~~

~~Emergency Releases – An emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out.~~ ~~Emergency releases will be~~from designated asexecutive ~~such~~leadership ~~by the~~(e.g., Chief Information Officer or ~~an appropriate manager who has been~~ delegated ~~this~~authority). ~~authority.~~However, the application carries assumed risk, and a **Full Assessment** must be scheduled and performed as soon as practicably possible post-deployment (e.g., within 30 days).

* **Scoping:** Assessments will include all components and tiers of the application identified during scoping unless explicitly limited with documented justification approved before the assessment begins.

~~4.2~~3.3 ~~All~~Risk ~~security~~Rating ~~issues~~and ~~that~~Remediation

~~are~~

Security ~~discovered~~vulnerabilities identified during assessments ~~must~~will be ~~mitigated based upon the following risk levels. The Risk Levels are~~risk-rated based on ~~the~~a standard methodology (e.g., OWASP Risk Rating ~~Methodology.~~Methodology). Remediation must occur according to the following requirements:

* **High Risk:** Vulnerabilities rated as High must be remediated, or effective compensating controls must be implemented and approved by the Assessment Team/Information Security, **before** the application is deployed or allowed to remain in production. Failure to address High-risk issues may result in the application being denied deployment or taken offline immediately. Remediation validation testing ~~will~~is bemandatory.
* ~~required~~**Medium toRisk:** ~~validate~~Vulnerabilities ~~fix~~rated ~~and/or mitigation strategies for any discovered issues of~~as Medium ~~risk level or greater.~~

~~High – Any high risk issue~~ must be ~~fixed~~reviewed, ~~immediately~~and ora ~~other~~remediation ~~mitigation~~plan ~~strategies~~with timelines must be ~~put~~developed inand ~~place~~approved. toRemediation ~~limit~~should ~~exposure~~typically ~~before~~occur ~~deployment.~~within the ~~Applications~~next ~~with~~planned ~~high~~release ~~risk~~cycle ~~issues~~(e.g., ~~are~~point/patch ~~subject to being taken off-line~~release) or ~~denied~~within ~~release~~a ~~into~~defined ~~the~~timeframe ~~live~~(e.g., ~~environment.~~

60-90

~~Medium~~days). ~~– Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly.~~ ~~Applications with medium risk issues may be taken off-line or denied release into the live environment based~~Depending on the number and nature of ~~issues~~Medium-risk ~~and if multiple issues increase~~findings, the ~~risk~~Assessment toTeam/Information anSecurity ~~unacceptable~~may ~~level.~~require mitigation ~~Issues~~or delayed deployment. Remediation validation testing is mandatory.
* **Low Risk:** Vulnerabilities rated as Low should be ~~fixed~~reviewed, ~~in a patch/point release unless other mitigation strategies will limit exposure.~~

~~Low – Issue should be reviewed to determine what is required to correct the issue~~documented, and scheduled ~~accordingly.~~for remediation as part of regular maintenance cycles or future releases based on available resources.

3.4 Assessment Levels

~~4.3~~The ~~The~~Assessment Team will perform assessments at the following ~~security~~levels, ~~assessment~~as ~~levels shall be established by the Precision Computer organization or other designated organization that will be performing the assessments.~~ appropriate:

* **Full –Assessment:** AComprehensive ~~full assessment is comprised of tests~~testing for ~~all~~a wide range of known web application vulnerabilities ~~using both automated and manual tools~~(e.g., based on ~~the~~ OWASP Testing ~~Guide.~~Guide, OWASP ATop ~~full~~Ten, ~~assessment~~SANS ~~will~~Top ~~use~~25) using a combination of automated scanning tools and in-depth manual penetration testing techniques to validate ~~discovered~~findings and assess actual risk.
* **Quick Assessment:** Primarily automated vulnerability scanning focused on common high-impact vulnerabilities ~~to determine the overall risk of any and all discovered.~~

~~Quick – A quick assessment will consist of a~~ (~~typically) automated scan of an application for the~~e.g., OWASP Top ~~Ten~~Ten) ~~web~~to provide a rapid risk overview. Manual validation may be limited.
* **Targeted Assessment:** Focused testing on specific vulnerabilities (e.g., for remediation validation) or specific new/changed application functionality.

3.5 Approved Tools and Techniques

* The Assessment Team will utilize a set of approved automated scanning tools and manual testing methodologies. *(The specific list of approved tools should be maintained internally by the Assessment Team).*
* The Assessment Team reserves the right to use additional tools or techniques as necessary to investigate potential vulnerabilities, validate findings, and determine overall risk.

4.0 Integration with Change Control

* Web application security ~~risks~~assessments atare aan ~~minimum.~~

integral

~~Targeted~~part –of Athe ~~targeted~~organization's change control process.
* Relevant assessment isresults ~~performed~~and remediation status must be documented within the change control records before deployment approval for applicable releases (New, Major, Point, Patch).
* Applications deployed without adhering to ~~verify vulnerability remediation changes or new application functionality.~~

~~4.4 The current approved web application security~~the assessment ~~tools~~requirements inof ~~use~~this ~~which will be used for testing are:~~

• ~~<Tool/Application 1>~~

• ~~<Tool/Application 2>~~

• …

~~Other tools and/or techniques~~policy may be ~~used~~subject ~~depending~~to ~~upon~~immediate ~~what~~removal ~~is found in~~from the ~~default~~production ~~assessment~~environment ~~and the need to determine validity and risk are subject to~~at the discretion of ~~the~~Information Security ~~Engineering~~or ~~team.~~executive leadership.

5.0 Compliance

5.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer ~~team~~team, Information Security, Internal Audit) will verify compliance towith this policy through various methods, including ~~but~~review ~~not~~of ~~limited~~change ~~to,~~control ~~periodic~~records, ~~walk-thrus,~~audit ~~video~~of ~~monitoring,~~assessment ~~business tool reports, internal~~reports and remediation tracking, penetration testing, internal/external audits, and ~~feedback~~review toof ~~the~~application ~~policy~~security ~~owner.~~program documentation.

5.2 Exceptions

Any exception to ~~the~~this policy ~~must~~(e.g., bedelaying ~~approved~~an assessment beyond standard triggers) requires formal, documented justification, risk acceptance by appropriate business and IT leadership, and advance approval from the designated Information Security authority (e.g., Precision Computer ~~team in advance.~~ Team).

An5.3 ~~employee~~Enforcement

~~found~~

Failure to ~~have~~comply ~~violated~~with this policy may beresult ~~subject~~in deployment delays, applications being taken offline, or other corrective actions. Non-compliance by personnel may lead to disciplinary action, up to and including termination of ~~employment.~~employment or contract.

6.0 Definitions

* **Web ~~application~~Application:** ~~assessments~~A ~~are~~client-server computer program where the client (including the user interface and client-side logic) runs in a ~~requirement~~web ofbrowser.
* **Vulnerability:** A weakness in a system, application, or process that could be exploited by a threat actor.
* **OWASP (Open Web Application Security Project):** A non-profit foundation focused on improving software security. Known for resources like the ~~change control process and are required to adhere to this policy unless found to be exempt.~~ ~~All application releases must pass through the change control process.~~ ~~Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Chief Information Officer.~~

OWASP Top Ten ~~Project~~

(list

~~OWASP~~of critical web application security risks), Testing ~~Guide~~Guide,

~~OWASP~~and Risk Rating ~~Methodology~~Methodology.
* **Penetration Testing:** A simulated cyber attack against a computer system to check for exploitable vulnerabilities.
* **Remediation:** The process of fixing or mitigating identified vulnerabilities.
* **Compensating Control:** An alternative security measure put in place when it is not feasible or practical to directly remediate a vulnerability according to standard requirements.

* Change Management Policy
* Secure Development Lifecycle (SDL) Policy / Standards
* Vulnerability Management Policy
* Risk Management Framework / Policy
* Information Security Policy (Overall)
* Third-Party Risk Management Policy