Argentina approves introductory guidelines on security for the development of web applications
By Mariano Peruzzotti and Belen Sorrentino
On November 11, 2021, Regulation No. 8/2021 of the National Directorate of Cybersecurity within the structure of the Argentine Chief of Cabinet was published in the Argentine Official Gazette. This regulation approves the introductory guidelines on security for the development of web applications (“Guidelines”). The regulation is aimed at developers of internal software in the public sector, as well as members of the public administration that subcontract these kinds of developments to third parties.
The Guidelines offer different recommendations in relation to the stage of the web application development process. The purpose of the Guidelines is to reduce development efforts and exposure to external vulnerabilities. The following are some of the most important aspects of the Guidelines:
- The Guidelines provide a simplified model to follow when starting a software project. At this stage, a different kind of analysis should be conducted, including resource allocation, context analysis, definition of responsibilities and review of the applicable regulatory framework.
- When starting a project, certain IT security aspects must be considered. For instance, the developer should consider the risk of exposure to common external attacks, the possibility of any of those attacks being successful, the responsibility of protecting the confidentiality and integrity of information through security controls and secure development techniques, among others.
- When analyzing the requirements of the app, certain security activities shall be taken into consideration, such as asset classification, security requirements, privacy requirements and risk analysis.
- The Guidelines recommend the application of safe design principles that help prevent failures, such as:
- minimizing the surface that can be exposed to attacks;
- designing the app in a way that allows it to be regularly maintained and upgraded;
- following the security by default principle;
- maintaining usability;
- enabling authorization by default; and
- segregating responsibilities and roles.
- As to the app implementation stage, the Guidelines recommend several good practices to increase security, such as:
- a system to control versions;
- error and bug tracking;
- taking other factors into consideration when relying on third parties; and
- standardisation implementation.
- The Guidelines offer several recommendations aimed at increasing the security of the code developed. These include validating all inputs using open-source validation libraries, properly coding all outputs using external controls and centralizing control routines.
- The Guidelines list the most frequent types of cyberattacks to assist developers with identifying and preventing them.
- The Guidelines propose security tests to verify whether the design and implementation of the application meet security requirements.
- Once the security tests have been verified, certain practices should be taken into consideration when launching production. The development, test and production environments should be segregated. Unnecessary components should be eliminated, security components should be activated and the configurations established for each component should be documented.
- To maintain security levels, the Guidelines propose the implementation of backup protocols, periodic security monitoring and alerts, incident and vulnerability reports, and verification of security updates.
- Finally, at the end of the app’s life cycle, special consideration must be taken for the privacy of the stored data. In the case of information migration and portability, measures must be taken to prevent its integrity from being compromised and to establish custody mechanisms to ensure confidentiality.
The text of the Guidelines can be consulted in the following site (in Spanish).
For further information contact: mperuzzotti@ojambf.com.
