1. User identification & Authentication
1.1 Support unique user-ID assignment
1.2 Prevent sharing of user-ID, e.g. prohibit multiple log-on from different locations
1.3 Perform user-ID authentication before granting access to resources
1.4 Perform user-ID authentication before re-enabling the expired session
1.5 No display of sensitive information until user get authenticated
1.6 Support a local user-ID management [add, modify, delete, access right granting]
1.7 Automate log-off inactive user session (<=15 minute inactive session)
1.8 Support single sign-on (e.g. ADFS)
1.9 Support Secure LDAP or other equivalent method
1.10 Support Two factors authentication for user log-on
1.11 Support IAM product
2. Password Configuration
2.1 Enforce alpha-numeric password with case sensitive
2.2 Enforce special character on top of alpha-numeric password with case sensitive
2.3 Render Application password unreadable on display, e.g. password masking
2.4 Render Application, DB, OS password unreadable in any source-code, relevant files or database by using a strong hash. If hashing is not technically possible then encryption can be used with at least AES256 encryption at minimum.
2.5 For Application that uses encryption method for password
2.6 Enforce password minimum length to 8
2.7 Enforce password history to 4
2.8 Enforce password age to 30 days
2.9 Lock User-ID after 6 failed password attempts
2.10 Enforce password change for the first-time log-on (if password is set by admin)
2.11 Prevent blank password
2.12 Do not use any default password during development and implementation. The password must be changed to be complex enough to prevent a brute force attack.
3. User Authorization
3.1 Support role-base access (need-to-do basis)
3.2 Restrict direct query to the database, e.g. restricting by using GUI menu restriction
3.3 Provide the segregation of duties reviewing function.
4. Audit trail requirement: The log must record the following items:
Application security log must record the following items:
4.1 ” – Date and time of event
– Type of event
– Identity of user who caused the event / event source (IP Address, user ID)
– the outcome (success or fail)”
4.2 User management activities (add, delete, modify, authorization assignment)
4.3 Password management activities ( add, delete, modify, reset)
4.4 Log-on fail/ Log-on success
4.5 Log-off activity
4.6 Attempt to perform privilege activity that is denied by application (failed activities)
4.7 Changing of security log parameter (add, delete, modify, reset log)
Centralized log management
4.8 Deliver security log to the Customer centralize log management for a proper retention and monitoring. For example deliver log through syslog protocol.
4.9 Application path and files must be listed and submitted to IT security with indication of purpose and how critical it is.
5. Information Transfer
5.1 Enforce encryption for sensitive data in transit by applying AES256 or RSA2048 key encryption at minimum. Example of sensitive data are user/password, customer information and credit card number.
6. Time synchronization
6.1 Support NTP time-synchronization with the authorized server [ or sync though OS system time]
7. Application Vulnerability protection
7.1 Submit the report done by independent party showing clean result for penetration testing or secure source code review.
7.2 SProvide white paper or written explanation showing all available security feature
7.3 Provide white paper or written explanation to show how the solution correspond to the OWASP top 10
7.4 Provide security vulnerability fixing without any additional cost as long as the maintenance agreement is valid.
8. Data Masking
8.1 If it’s not for any business purpose, Bank account number must be masked during display. At minimum, it must prohibit showing the first 5 digits.
8.2 If it’s not for any business purpose, Customer citizen-ID must be masked during display. At minimum, it must prohibit showing the first 9 digits.
9. Application supporting Financial information
9.1 Virtual keypad is used in OTP insert transaction
9.2 Support random virtual keypad
9.3 2 factor is used when committing important functions, e.g. customer information change, password change, transaction commit.
9.4 OTP life time is 5 minutes and must be specific to each transaction
9.5 OTP must be hard to guess.
9.6 Support out-of-band notification (Email and/or SMS notification) for reporting committed transaction.
10. Before Deployment [subject to be reviewed by IT security team]
10.1 All internet-facing web application must be placed behind Web Application Firewall.
10.2 Application deployment script and deployment task is handed to IT security before deployment
10.3 Application user matrix and user management task will be prepared and handed to IT security before deployment.
10.4 Application solution must be developed and implemented according to the design approval from the IT solution committee.
10.5 Default password using by this solution must be changed
10.6 Application must pass Security Acceptance Test (SAT). All identified gaps are to be closed before deployment. SAT is normally composed of secure source code review, application scanning & penetration testing, security requirement review [this sheet], review of regulator requirement (PCI-DSS, MAS, SO), infrastructure hardening and vulnerability assessment) – as considered by IT security
10.7 Application log is sent to the centralized management log.