DISA APPLICATION SECURITY AND DEVELOPMENT CHECKLIST (VER. 2, REV. 1.5) (26 JUN 2009)

DISA APPLICATION SECURITY AND DEVELOPMENT CHECKLIST (VER. 2, REV. 1.5) (26 JUN 2009)., This document contains procedures that enable qualified personnel to conduct an Application Security Readiness Review (SRR). The Application SRR assesses compliance, in part, with DISA’s Application Security and Development Security Technical Implementation Guide (STIG) Version 2,R1. DISA Field Security Operations (FSO) conducts Application SRRs to provide a minimum level of assurance to DISA, Joint Commands, and other Department of Defense (DoD) organizations that their applications are reasonably secure against attacks that would threaten their mission. The complexity of most mission critical applications precludes a comprehensive security review of all possible security functions and vulnerabilities in the time frame allotted for an Application SRR. Nonetheless, the SRR helps organizations address the most common application vulnerabilities and identify information assurance (IA) issues that pose an unacceptable risk to operations. Ideally, IA controls are integrated throughout all phases of the development life cycle. Integrating the Application Review process into the development lifecycle will help to ensure the security, quality, and resilience of an application. Since the Application SRR is usually performed close to or after the applications release, many of the Application SRR findings must be fixed through patches or modifications to the application infrastructure. Some vulnerabilities may require significant application changes to correct. The earlier the Application Review process is integrated into the development life cycle, the less disruptive the remediation process will be.