APPL-03

Are only currently supported operating system(s), software, and libraries leveraged by the system(s)/application(s) that will have access to institution's data?

Explanation

This question is asking whether your systems and applications use only operating systems, software, and libraries that are currently supported by their vendors or maintainers. Why this matters: Unsupported software no longer receives security patches or updates, creating significant security vulnerabilities. When vendors end support for a product (like Windows 7 or an old version of a web framework), they stop releasing patches for newly discovered security issues. This creates an expanding set of known, exploitable vulnerabilities that attackers can target. The guidance specifically mentions browser compatibility because web applications often have specific browser requirements. If your application only works with certain modern browsers, you should disclose that information. In a security assessment, this question helps evaluators understand if your environment contains legacy components that might introduce unnecessary risk to the institution's data. Organizations using end-of-life software components present a higher security risk. When answering this question: 1. Inventory all operating systems, software packages, and libraries used in your environment 2. Verify their support status with vendors/maintainers 3. Be transparent about any exceptions and mitigating controls 4. Include browser compatibility information for web applications

Guidance

If the web application only works with a subset of modern supported browsers, please indicate that here.

Example Responses

Example Response 1

Yes, we maintain a strict policy of using only supported software throughout our environment All our servers run either Ubuntu 22.04 LTS or Windows Server 2022, both of which are currently supported with regular security updates Our application is built on .NET 6 (supported until November 2024) and uses only libraries that are actively maintained We have an automated scanning process that alerts us when dependencies approach end-of-life, and we perform quarterly reviews of our technology stack to ensure compliance Our web application is compatible with and fully tested on the current and previous major versions of Chrome, Firefox, Safari, and Edge browsers.

Example Response 2

Yes, all systems processing institution data run on supported platforms Our cloud infrastructure uses Amazon Linux 2023 and our application servers run Red Hat Enterprise Linux 8 Our application stack includes Python 3.10, Django 4.2 LTS, and PostgreSQL 15, all currently supported We maintain a software bill of materials (SBOM) and use dependency scanning tools to identify and remediate any outdated components For browser compatibility, our web application supports the latest versions of Chrome, Firefox, Safari, and Edge, plus one version back Internet Explorer is not supported as it has reached end-of-life.

Example Response 3

No, we currently have several systems running Windows Server 2012 R2, which reaches end-of-support in October 2023 We're actively migrating these systems to Windows Server 2022, with completion expected by August 2023 During this transition period, we've implemented additional security controls including enhanced network segmentation, more frequent vulnerability scanning, and stricter access controls to mitigate risks We also have a legacy internal application that requires Java 8, which we maintain in an isolated environment with no direct internet access Our customer-facing web applications are fully modernized and support all current browser versions.

Context

Tab: Infrastructure
Category: Application/Service Security