HECVAT Category
Application/Service Security
Application/Service Security covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?
This question is asking whether your organization implements structured, systematic approaches to controlling access to your systems and data, specifically for institutional accounts (those belonging to the institution being assessed).
Are you using a web application firewall (WAF)?
This question is asking whether your organization uses a Web Application Firewall (WAF) to protect your web applications.
Are only currently supported operating system(s), software, and libraries leveraged by the system(s)/application(s) that will have access to institution's data?
This question is asking whether your systems and applications use only operating systems, software, and libraries that are currently supported by their vendors or maintainers.
Does your application require access to location or GPS data?
This question is asking whether your software application or service collects or requires access to a user's physical location data or GPS (Global Positioning System) coordinates. Location data is considered sensitive personal information because it can reveal patterns about a person's movements, home address, workplace, and other private details.
Does your application provide separation of duties between security administration, system administration, and standard user functions?
This question is asking whether your application implements 'separation of duties' (SoD), which is a fundamental security principle that divides critical functions among different individuals to prevent fraud, errors, and security breaches.
Do you subject your code to static code analysis and/or static application security testing prior to release?
This question is asking whether your organization uses automated tools to analyze source code for potential security vulnerabilities before releasing software.
Do you have software testing processes (dynamic or static) that are established and followed?
This question is asking whether your organization has established and follows formal processes for testing software, either through dynamic or static methods.
Are access controls for staff within your organization based on structured rules, such as RBAC, ABAC, or PBAC?
This question is asking whether your organization implements structured access control models for managing who can access what within your systems. Let me break down the key components:
Does the system provide data input validation and error messages?
This question is asking whether your application or service has mechanisms to validate user inputs and provide appropriate error messages when invalid data is entered.
Do you have a process and implemented procedures for managing your software supply chain (e.g., libraries, repositories, frameworks, etc.)
This question is asking about your organization's approach to managing software supply chain risks - specifically how you track, evaluate, and secure the third-party components that go into your software products.
Have your developers been trained in secure coding techniques?
This question is asking whether your organization has provided formal training to your software developers on secure coding practices. Secure coding techniques are programming practices that help prevent security vulnerabilities in software applications.
Was your application developed using secure coding techniques?
This question is asking whether your organization follows secure coding practices during application development. Secure coding techniques are methodologies, practices, and tools that developers use to prevent security vulnerabilities from being introduced into software during the development process.
If mobile, is the application available from a trusted source (e.g., App Store, Google Play Store)?
This question is asking whether your mobile application is distributed through official, trusted app distribution platforms like Apple's App Store or Google's Play Store, rather than through alternative methods.
Do you have a fully implemented policy or procedure that details how your employees obtain administrator access to institutional instance of the application?
This question is asking whether your organization has a formal, documented policy or procedure that specifically outlines how your employees can obtain administrator-level access to a customer's (institution's) instance of your application.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
