Australian Government Architecture
Search

Type

Capability

Reference

.

Mandate

Endorsed

Application Security

Definition

Application Security refers to the protection of digital and ICT applications from threats such as unauthorised access and modifications. It covers the security aspects specific to the application design, development, and deployment process, as well as the systems and methods to secure apps after they are deployed.

Purpose

Application Security ensures that security is an integral part of the application lifecycle. This can work to mitigate vulnerabilities, reduce the risk of security breaches, and protect sensitive data and systems such that the applications deliver on their purpose and intent.

A mature capability in Application Security enables fast and appropriate response to emerging threats, and continuous improvement of security posture.

Application Security is realised through:

  • the definition, planning, deployment, and use of appropriate security measures (including policies/processes and technological solutions) to protect applications in a manner suited to the situation-specific circumstances
  • consideration of the capability as part of a complementary suite of security capabilities, including Information Asset Security, Network Security, Privacy, and Permissions.

Objective

The objectives of this Australian Government Architecture (AGA) content are to:

  • ensure application solutions across Government are implemented to an appropriately secure standard relevant to their risk of security compromise
  • ensure that entities are familiar with application security best practices, allowing them to make informed decisions on investment in application security
  • ensure that new application solutions draw security efficiency from preceding investments, implementations, and learnings to maximise re-use and minimise risk
  • ensure strategic alignment of application security features to the Australian Government’s cyber security goals
  • meet the minimum compliance with contractual obligations, legislation and regulation, government policies and standards, and any national or international agreements relating to application security.

Whole-of-Government Applicability

The 2023-2030 Australian Cyber Security Strategy and 2023-2030 Australian Cyber Security Action Plan impose obligations on the APS for Application Security through:

  • ensuring that security considerations are incorporated into the design, development, and deployment of applications across the Australian Public Service
  • developing a unified and comprehensive approach to this capability to fortify individual applications and contribute to the overall resilience and security posture of the entire government infrastructure
  • preventing vulnerabilities, reducing the risk of security breaches, and protecting sensitive data and systems.

The Data and Digital Government Strategy and Implementation Plan impose obligations on the APS for Application Security through:

  • Simple and seamless services: To deploy scalable and secure architecture
  • Trusted and secure: To connect data, digital, and cyber security, and build and maintain trust.

Policy Elements

Policy:
POL41
Application Security Policy Mandate:
Endorsed
Status:
Core

  • Comply with legislation and regulation

    An entity must comply with any legislation relevant to its circumstances.

  • Align to guidelines and standards

    All Commonwealth entities must comply with the Protective Security Policy Framework, as well as any other mandatory frameworks, policies, and standards.

  • Be Secure-by-Design

    Entities should consider application security early. Threats should be considered from the outset to enable mitigations through thoughtful design, architecture, and security measures.

  • Align operational and technological needs

    Entities should implement application security measures and protocols that align to operational and technological requirements.

  • Apply a risk-based approach

    Entities should ensure that application security solutions are maintained in balance with the risks associated with the applications being secured.

  • Implement preventative measures

    Entities should implement measures designed to prevent application security incidents before they occur. 

  • Implement detective measures

    Entities should consider and implement application security measures focused on identifying issues or breaches that may have already occurred or that are in progress.

  • Implement reporting measures

    Entities should consider and implement appropriate reporting processes. If an application is a critical infrastructure asset, entities must comply with the Security of Critical Infrastructure Act 2018 (Cth).

  • Implement corrective measures

    Entities should be prepared to take action to fix vulnerabilities and restore security in an application after a breach or attack is detected.

  • Adhere to reuse principles

    Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.

Domains

This capability is part of the following domain.
DOM9

Cyber Security

Policies

The following policies have requirements that impact this capability.
Protective Security Policy Framework (PSPF)
POL19
Mandate: Endorsed
Status: Core
The PSPF sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally. Application of the PSPF assures government that entities are implementing…
Application Security Policy
POL41
Mandate: Endorsed
Status: Core

Standards

The following standards support development of digital solutions in this capability.

Application Security Standard

STA54
The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. It will continue to maintain the safe, secure operation of government systems and technology through the effective implementation of the Information Security Manual,…

Designs

The following designs include examples of how digital solutions in this capability can be delivered.

Integrated Regulatory Information System (IRIS)

DES155

Lead Agency: Comcare

Technology Type: Microsoft Dynamics 365

Integrated Regulatory Information System (IRIS) is the primary application used by Comcare’s Regulatory Operations Group for various regulatory licensing, monitoring, compliance, and investigation tasks. It is a central, organised, easy-to access place to store data about notifications (work health…

Strategic Alignment

Digital solutions in this capability can support the following strategies.

2023-2030 Australian Cyber Security Strategy

Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.