Disposition No. 8/2021 of the National Cybersecurity Directorate: “Introductory Guide to Security for the Development of Web Applications”.
TMT Department report Report | Disposition No. 8/2021 of the National Cybersecurity Directorate: “Introductory Guide to Security for the Development of WEB Applications”
Dear Sir or Madam,
Disposition No. 8/2021 (the “Disposition”) of the National Cybersecurity Directorate (the “Directorate”), published in the Official Gazette on November 11th, 2021, approves the “Introductory Guide to Security for the Development of WEB Applications” (the ” Guidel”).
The Guide was drafted with the main purpose of contributing to the secure development of applications in organizations that belong to the national public sector and are therefore addressed to those who carry out software development functions for this sector, as well as to those responsible for Systems, Technology, and Information Security areas.
In this spirit, through the Guide, it is intended that in all stages of the software development life cycle, including the initial stages, the principles and good security practices are incorporated to ensure the protection of intellectual property of software developments and compliance with Law 25,326 on Data Protection.
Among some of the most important recommendations of the Guideline, the following can be mentioned:
1. When beginning with the development of the application, the Guideline foresees the different types of Secure Development Lifecycle models to be undertaken (such as OWASP, (ISC) 2 CSSLP, Microsoft SDL, NIST SP800-64, or even a model suggested by the Directorate itself).
2. The implementation of a security approach from the onset of software development to avoid vulnerabilities before the application is deployed. To this end, the Guideline suggests that certain premises be considered, such as: “The application will be attacked”, “Some attack will work”, “User privacy”, among others.
3. During the requirements analysis, the Guideline suggests the implementation of a range of security activities, such as asset classification, abuse cases, security, privacy and/or arbitrary requirements, risk analysis, among others.
4. The adoption of certain secure design principles to avoid vulnerabilities, such as: minimizing the attack surface, designing for maintainability, detecting weaknesses (“the weakest link”), security by default, maintaining usability, among others.
5. Taking actions to increase security in the software implementation process, such as: securing tools, providing version control systems, being cautious when contracting third parties, among others.
6. In terms of software code development, the Guide also sets out recommendations for secure programming that address security, such as the use of well-known open-source libraries as a method of implementing the input validation module, among other recommendations.
7. The Guide incorporates a list of the most frequent cyber-attacks for software developers so they can identify and prevent them.
8. Criteria for security testing are established for early detection to avoid major failures and to reduce their impact. Recommended security tests also include static scanning tools, penetration tests, manual code audits, among others.
9. Once the verification of the testing stage has been completed, the Guide establishes good practice recommendations for the deployment of the application developed, which includes measures for the segregation of environments and hardenisation (vulnerability reduction) of equipment. It also establishes recommendations for the maintenance of applications to maintain security levels during the operation of the software.
You may access the full text of the Disposition and its Annex by clicking on the following link: Disposition 8/2021 National Cybersecurity Dictatorate.
Please, do not hesitate to contact us should you require any additional information on this matter.
Emilio Beccar Varela