How to know if my application’s network should be trusted

Question

Fortify has indicated that servers and clients on my network must be authenticated and authorized or otherwise indicates the application’s network is not trusted. I trust the network on which my application runs. How can I know that it is trusted?

Answer

Fortify and zero trust principles assume the network is always hostile. While firewalls and gateways may be in place to isolate the network from bad actors, it should be assumed that an attacker has breached these defenses. Applications on these protected networks should have defenses in place to protect themselves assuming a hostile network.

Zero trust principles indicate that applications must authenticate and authorize every device, user, and network flow. Applications must authenticate and authorize servers and clients even if they are co-located on a network that is protected by a firewall or gateway.

Additional Guidance

OIS Software Assurance recognizes that implementing a zero trust architecture (ZTA)[1] is not always feasible for all applications. To alternately show that zero trust principles have been followed outside of the application to mitigate vulnerabilities in source code, the following criteria must be met:

  • Requirement: The developer will need to provide documentation[2] that attests that:
    • Trust is never granted implicitly and is continually evaluated for the affected workflow. And, that resources are restricted to those users or applications with a need to access and are granted only the minimum privileges needed to perform the operation.[3]

[1] Zero Trust Architecture NIST Special Publication 800-207

[2] There are no specific presentation or content requirements for the above attestation documentation, aside from addressing the specific technical concerns.

[3] The specific solution(s) used must be identified in the attestation or in a readme file. Potential zero trust approaches include solutions that provide enhanced governance-driven identity, logical micro-segmentation, network-based segmentation, or a combination of these.