Application Security Standard

The Australian Government ensures the safety and security of its operations to remain a trusted custodian of sensitive information. It will continue to maintain the safe, secure operation of government systems and technology through the effective implementation of the Information Security Manual, Protective Security Policy Framework, the Essential Eight Mitigations, and by increasingly adopting secure-by-design and secure-by-default principles and tactics.

An Application Security Standard will ensure that applications are developed and maintained with security in mind, protecting sensitive data and preventing unauthorised access, use, disclosure, modification, or destruction of that data to ensure that the Australian Government maintains the safety and security of its operations and it remains a trusted custodian of sensitive information.

Cornerstones of investment include the secure environments within which applications are hosted, and appropriate proactive approaches to detective, reporting, and corrective measures.

It is critical this standard be considered alongside those of complementary capabilities:

• Information Asset Security.
• Network Security.
• Permissions.

Comply with legislation

Entities must:

• comply with relevant Commonwealth legislation including (but not limited to): 
  • Archives Act 1983 (Cth)
  • Data Availability and Transparency (DAT) Act 2002 (Cth)
  • Privacy Act 1988 (Cth) 
  • Security of Critical Infrastructure Act 2018 (Cth)
• comply with any other legislation applicable to specific functions and circumstances.

Align to guidelines and standards

Entities must:

• apply the principles and requirements of the Protective Security Policy Framework throughout their organisation
• meet the requirements of the Hosting Certification Framework.  

Entities should consider and align, where suitable, to security frameworks across Government:

• Information Security Manual: A cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats.
• Strategies to Mitigate Cyber Security Incidents: Prioritised mitigation strategies to help organisations mitigate cyber security incidents caused by various cyber threats.

Entities should also consider the following from organisations outside of the APS:

• ISO/IEC 27034. Provides frameworks and processes to assist entities in integrating security though the life cycle of the application
• The Open Web Application Security Project (OWASP): provides comprehensive resources in relation to mobile application security and web application security.

Be Secure-by-Design

Entities should:

• take a Secure-by-Design approach to Application as defined and recommended by the Australian Signals Directorate
• implement Essential Eight Maturity Level 2 mitigations as a minimum
• implement ISM controls within the defined areas of:

1. application control
2. patch applications
3. configure Microsoft Office macro settings
4. user application hardening
5. restrict administrative privileges
6. patch operating systems
7. multi-factor authentication
8. regular backups

Align operational and technological needs

Entities should:

• design applications to integrate seamlessly with an existing security infrastructure to provide layered security
• use trusted suppliers vetted as part of cyber supply chain risk management assessments
• record suppliers on their approved supplier list once vetted
• ensure security solutions for applications are scalable and flexible to adapt to evolving threats and technological advancements
• integrate security awareness and training programs, as human factors may pose a significant risk to the security of applications.

Apply a risk-based approach

Entities should:

• be careful to ensure that security mechanisms do not inadvertently impact the performance, availability, accessibility, or other aspects of systems to the detriment of the user experience
• prioritise security considerations throughout all stages of the software delivery lifecycle, including when architecting, developing, testing, and deploying applications
• integrate security awareness and training programs
• demonstrate and foster a culture of security among their employees.

Implement preventative measures

Entities should:

• implement access controls to ensure that users are granted the minimum level of access necessary to perform their job function, in line with a "zero trust" approach
• define and manage user permissions based on job roles, streamlining access management, and reducing potential security risks. For more detail on permissions, please refer to permissions capability page.
• use multi factor authentication for user authentication
• ensure that both hardware and software are current, including:
• timely implementation of tested vendor-supplied vulnerability patches
• ongoing support and budget for necessary security works.

Implement detective measures

Entities should:

• implement detective controls such as intrusion detection systems, antivirus scanners, and agents that monitor system health and availability
• develop and implement mechanisms for continuous vulnerability assessment and remediation across all stages of the software delivery lifecycle.

Implement reporting measures

Entities should:

• consider and implement appropriate reporting processes
• have protocols and processes for reporting and recording any security incidents.

Implement corrective measures

Entities should:

• establish a process for timely identification of attacks to prevent further compromise of the application
• be able to understand the impact of an attack, by gathering facts and evaluating risks, including potential harm to affected individuals, and, where possible, take action to remediate any risk of harm
• test and deploy security patches and updates to mitigate known vulnerabilities.

Adhere to reuse principles

Reuse content on the Australian Government Architecture provides information for entities on Reuse.

Entities should:

• consider application security-specific functional and non-functional requirements prior to solution design or consideration of technology choice, including:
  • application interfaces and interoperations
  • broader system purpose
  • performance and availability requirements
  • privacy/sensitivity concerns
• meet the requirements of the whole-of-government reuse policy.