Cybersecurity is increasingly becoming a significant challenge for both public and private organizations, as well as individuals. The rise and sophistication of cyberattacks have become a top concern for decision-makers and users at all levels.

In this context of escalating cyber threats, the application environment is one of the prime targets for hackers. To shed light on this issue, and as a continuation of the actions taken in 2021, the DGSSI organized an awareness day on application security. The opening remarks for this day were delivered by Mr. Abdellah BOUTRIG and Mr. Sidi Mohammed DRISSI MELYANI, respectively Director of Assistance, Training, Control, and Expertise at the DGSSI and General Director of the Digital Development Agency. Indeed, the DGSSI and the ADD work closely together to promote a culture of secure development in Morocco.

Held in a hybrid format during the morning of April 12, 2022, this day saw the participation of over 480 individuals representing various sectors from both the public and private domains. The event was led by high-level international experts and professionals with years of experience, particularly in the field of application security.

The program of the day highlighted some best security practices to adopt during software development, with a particular focus on the OWASP Application Security Verification Standard (ASVS) and software testing fundamentals.

The OWASP ASVS provides a basis for testing technical security controls of web applications and offers developers a list of requirements for secure development. It comprises a total of 286 controls across 14 verification categories, adopting an approach based on function families and level of requirements. It offers three levels of control based on the required security level, with the highest level requiring a thorough analysis of architecture, code, and testing at all levels.

Regarding software testing, it should be noted that, according to ANSI/IEEE 1059, software testing is the process of evaluating a software product to determine whether it meets specified requirements. The testing process evaluates software product features for missing requirements, bugs or errors, security, reliability, and performance constraints.

Generally, tests are classified into three categories:
 

•  Functional tests;
•  Non-functional tests or performance tests;
•  Maintenance (regression and maintenance).

Additionally, the day featured two presentations on software testing delivered by representatives from the Moroccan and French Software Testing Committees, emphasizing the importance of these tests in terms of:
 

•  Cost-effectiveness: Bugs detected in early development phases are cheaper to fix;
•  Security: Risks are identified and eliminated early;
•  Software quality: The product delivers the promised value by meeting initial requirements to achieve desired final results.

The presentations also highlighted the fundamentals of security testing, through the presentation of the ISTQB certification process. Through their complementary missions focused on implementing secure systems and raising awareness of digital and technical standards for digital products and services, the DGSSI and the ADD are already aware of this issue. To further strengthen the available resources for public and private administrations, as well as critical infrastructures, and enable them to conduct recommended tests during the development cycle, they have adopted an application security verification framework.

This application security verification framework, expertly presented by OWASP, incorporates several security standards, including NIST 800-63-3 guidelines on digital identity, NIST SP 800-57 recommendations on key management, OWASP Top 10 2021, OWASP Proactive Controls 2018, sections 6.5 of PCI-DSS v3.2.1, and mapping to CWE. It is primarily based on ASVS 4.0.3 version published in October 2021 by the OWASP community and applies to all software development models. It aims to achieve two major objectives:

1. Assist organizations in developing and maintaining secure applications (automated unit test and integration test guide, secure development training guide);
2. Guide stakeholders in selecting the best software acquisition offers from development companies. The requirement framework will provide stakeholders with a solution based on secure development best practices, allowing them to compare expressed requirements with proposals from bidders.

The application security verification framework includes three security verification levels. Level three represents the highest assurance level. The appropriate verification level to be adopted will depend on:

•  The nature of the organization (critical infrastructures, public institutions, banks, administrations, etc.);
•  Legal requirements to which the organization is subject;
•  Compliance with security standards.

These levels are defined as follows:

•  Level 1: This is a low assurance level. It includes standard intrusion tests and constitutes an initial step toward progressively securing an entity's applications. It is sometimes sufficient for applications that do not store or process sensitive data, and thus do not require the rigorous controls contained in levels 2 or 3. Level 1 controls can be automatically executed by tools or manually performed without access to source code.
•  Level 2: This is necessary for applications containing sensitive data requiring appropriate protection. This level is generally recommended for most applications.
•  Level 3: This is the highest level and is intended for critical applications handling highly sensitive data or requiring a high level of trust.

Based on risk analysis and business requirements, each organization must determine the appropriate level of requirement. Furthermore, the awareness day presented several solutions capable of making improvements and mechanisms to support the implementation of the application security verification framework and facilitate the automation of the development process. Among the solutions presented that could add value in terms of implementing security rules at the SDLC level are the SKF Framework and DefectDojo API.