HECVAT Category
Application/Service Security
Application/Service Security covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?
Structured authorization is the heart of this question, which asks whether institutional account access is governed by rule-based models such as RBAC, ABAC, or PBAC.
Are you using a web application firewall (WAF)?
Web application firewalls are the focus here, with reviewers checking whether you deploy a WAF to shield your web applications from common attacks.
Are only currently supported operating system(s), software, and libraries leveraged by the system(s)/application(s) that will have access to institution's data?
Reviewers are checking that every operating system, software package, and library touching institutional data is still actively supported by its vendor or maintainer.
Does your application require access to location or GPS data?
At the heart of this is location data: whether your application collects or requires access to a user's physical position or GPS coordinates. Location data is considered sensitive personal information because it can reveal patterns about a person's movements, home address, workplace, and other private details.
Does your application provide separation of duties between security administration, system administration, and standard user functions?
Separation of duties is the principle under review: reviewers want your application to divide security administration, system administration, and standard user functions among different roles to limit fraud and error.
Do you subject your code to static code analysis and/or static application security testing prior to release?
Secure development practices are under review here, specifically whether you run static code analysis or static application security testing on your code before each release.
Do you have software testing processes (dynamic or static) that are established and followed?
Software testing discipline is under review: the institution wants to know that you have established, repeatable dynamic or static testing processes and that you actually follow them.
Are access controls for staff within your organization based on structured rules, such as RBAC, ABAC, or PBAC?
Structured access control is the focus: whether your organization governs internal access using models such as RBAC, ABAC, or PBAC rather than ad hoc permissions. Let me break down the key components:
Does the system provide data input validation and error messages?
Input handling is the subject here, specifically whether your application validates the data users enter and surfaces appropriate error messages for invalid input.
Do you have a process and implemented procedures for managing your software supply chain (e.g., libraries, repositories, frameworks, etc.)
Software supply chain risk is the focus, and whether you have a process and working procedures to track, evaluate, and secure the third-party libraries, repositories, and frameworks in your products.
Have your developers been trained in secure coding techniques?
Secure-by-design development depends on skilled engineers, so reviewers want evidence that your developers have received formal secure coding training. Secure coding techniques are programming practices that help prevent security vulnerabilities in software applications.
Was your application developed using secure coding techniques?
Secure development practices sit at the heart of this requirement, which asks whether your applications are built using secure coding techniques. Secure coding techniques are methodologies, practices, and tools that developers use to prevent security vulnerabilities from being introduced into software during the development process.
If mobile, is the application available from a trusted source (e.g., App Store, Google Play Store)?
Distribution trust is the focus for mobile apps: the question is whether yours is published through official channels like the Apple App Store or Google Play rather than side-loaded sources.
Do you have a fully implemented policy or procedure that details how your employees obtain administrator access to institutional instance of the application?
Privileged access governance is under review, specifically whether a documented, implemented procedure spells out how your staff gain administrator rights to a customer's instance of your application.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

