Application Security Standards and Regulations

1. Threat Modeling Overview:

   • Threat modeling helps identify, enumerate, and prioritize potential threats, such as structural vulnerabilities or the absence of safeguards.

   • Its purpose is to provide a systematic analysis of necessary controls or defenses, considering the system's nature, probable attacker's profile, likely attack vectors, and desired assets.

2. Threat Modeling Methodologies:

   • STRIDE: Developed by Microsoft in 1999, focuses on finding threats in products using patterns and practices.

   • PASTA (Process for Attack Simulation and Threat Analysis): A seven-step, risk-centric methodology that aligns business objectives with technical requirements and focuses on dynamic threat identification and mitigation.

   • TRIKE: Uses threat models as a risk management tool, establishing stakeholder-defined acceptable risk levels, and constructing a risk model based on assets, roles, actions, and risk exposure.

   • VAST (Visual Agile and Simple Threat Modeling): Scalable across infrastructure and the SDLC, integrates with Agile methodologies, and provides actionable outputs for stakeholders without requiring specific security expertise.

3. Security Standards and Regulations:

   • CERT C Coding Standard: Developed by the CERT Coordination Center, focuses on improving software safety, reliability, and security for C programming.

   • Common Weakness Enumeration (CWE): A category system for software weaknesses, sustained by the Mitre Corporation and supported by US CERT and the Department of Homeland Security.

   • Security Technical Implementation Guide (STIG): Developed by the Defense Information Systems Agency, standardizes security protocols across networks, servers, and systems.

   • ISO Standards:

     • ISO 27034: Describes minimum requirements for application security controls (ASC) and maps to a prediction application security rationale (PASR).

     • ISO 24772: Provides guidance on avoiding vulnerabilities through language selection and use in programming.

   • PCI Data Security Standard (PCI-DSS): Mandated by the Payment Card Industry Security Standards Council, increases controls around cardholder data to reduce credit card fraud.

   • NIST SP 800-53: Catalogs security and privacy controls for all US federal information systems, published by the National Institute of Standards and Technology.

4. Key Regulations:

   • Gramm-Leach-Bliley Act (GLBA): Modernized financial services, allowing more information sharing but with privacy limitations.

   • Health Insurance Portability and Accountability Act (HIPAA): Modernized healthcare information flow and protected personally identifiable information.

   • Sarbanes-Oxley Act (SOX): Set requirements for US public company boards and management, including provisions for evidence preservation during federal investigations.

5. Compliance Controls:

   • Understanding and implementing security standards and regulations are crucial for stopping attacks and ensuring application security. Compliance is an integral part of the application security landscape.