Definition
Application security refers to the protection of government digital and ICT applications from threats such as unauthorised access and modifications. It covers the security aspects specific to the application design, development and deployment, as well as the systems and methods used to secure apps after they are deployed.
Purpose
Application security ensures that security is an integral part of the application lifecycle. This can help mitigate vulnerabilities, reduce the risk of security breaches and protect sensitive data and systems so the applications deliver on their purpose and intent.
A mature Application Security capability enables a fast and appropriate response to emerging threats and continuous improvement of security status.
Application security is realised through:
- the definition, planning, deployment and use of appropriate security measures (including policies/processes and technological solutions) to protect applications
- consideration of the capability as part of a complementary suite of security capabilities, including Information Asset Security, Network Security, Privacy, and Permissions.
Objectives
The objectives of this content are to ensure:
- application solutions across government are implemented to a standard relevant to their organisation’s risk appetite regarding security
- entities are familiar with application security best practices, allowing them to make informed decisions on investment in application security
- new application solutions are informed by preceding investments, implementations, and learnings to maximise re-use and minimise risks
- strategic alignment of application security features to the Australian Government’s cyber security goals
- minimum compliance with contractual obligations, legislation and regulation, government policies and standards and any national or international agreements relating to application security.
Whole-of-government applicability
On 22 November 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy, a roadmap that will help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030. The capability of Application Security supports its agenda through:
- ensuring that security considerations are incorporated into the design, development, and deployment of applications across the Australian Public Service
- developing a unified and comprehensive approach to this capability to fortify individual applications and contribute to the overall resilience and security posture of the entire government infrastructure
- preventing vulnerabilities, reducing the risk of security breaches, and protecting sensitive data and systems.
The Data and Digital Government Strategy (DDGS) sets a vision for 2030 to deliver simple, secure and connected public services for all people and business, through world class data and digital capabilities.
Maturity in the capability of Application Security will be of critical importance to the DDGS missions:
- Trusted and secure: The Australian Government commits to improving and maintaining trust in its use of data and digital technologies including through adopting robust and appropriate privacy and security settings to keep peoples’ information safe.
- Simple and seamless services: The Australian Government commits to ensuring technology is scalable, secure, resilient and interoperable, with new systems and infrastructure that supports data access and discoverability.
Policy Elements
-
Comply with legislation and regulation
An entity must comply with any legislation relevant to its circumstances.
-
Align to guidelines and standards
All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.
-
Be secure-by-design
The integration of application security as a core element of digital products and services from the design phase through to deployment and beyond ensures security considerations and mitigations are embedded and effective throughout the lifecycle of the investment.
-
Align operational and technological needs
Analysis and assessment of specific needs, and determination of operational and technological functional and non-functional requirements, ensures selected for application security measures and protocols are fit-for purpose as well as traceable in their coverage of entity needs.
-
Apply a risk-based approach
The selection, deployment, and maintenance of application security solutions in balance with risks associated with the applications being secured will ensure that operational elements of security are prioritised, and solutions do not inadvertently impact system performance and functionality.
-
Implement preventative measures
Implementation of appropriate reporting processes is critical for both awareness of risk, and transparency. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).
-
Implement detective measures
Entities should consider and implement application security measures focused on identifying issues or breaches that may have already occurred or that are in progress.
-
Implement reporting measures
Entities should consider and implement appropriate reporting processes. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).
-
Implement corrective measures
The pro-active preparation of corrective measures will ensure entities are prepared to take action to fix vulnerabilities and restore security in an application after a breach or attack is detected.
-
Adhere to reuse principles
Entities should prioritise the reuse of existing digital and ICT solutions, patterns, or knowledge. Where necessary, design new solutions with a focus on future reuse.