Common use of Application Control Clause in Contracts

Application Control. In order to ensure the protection of applications processing Data, the Supplier shall take reasonable steps to implement and maintain the following measures: 9.1. If applicable, prior to application release, conduct penetration tests, web application vulnerability tests and high severity vulnerabilities mitigation. 9.2. Conduct penetration tests at least once per year on its computing environment and provide Avaya with written copies of the results of such penetration tests performed by Supplier or its sub–processors no more than 30 days after Supplier obtains the results or reports. 9.3. Where applications that will process Data are being developed for the provision of Supplier’s services to Avaya, ensure that developers are trained on industry-standard secure developing best practices. 9.4. Ensure that applications that will process Data are developed in a secure manner using Supplier’s formal, documented, process that provides evidence that application security vulnerabilities are not present prior to moving into production. Retests will be conducted at least quarterly thereafter, and after each significant change. At a minimum, application security vulnerabilities would include the SANS Top 20 and OWASP Top 10. 9.5. Application security vulnerabilities that affect Data shall be corrected within a reasonable time after identification. 9.6. These requirements should be validated by tools such as dynamic application scanning and/or static code analysis.

Application Control. In order to ensure the protection of applications processing Personal Data, the Supplier shall take reasonable steps to implement and maintain the following measures: 9.1. If applicable, prior to application release, conduct penetration tests, web application vulnerability tests and high severity vulnerabilities mitigation. 9.2. Conduct penetration tests at least once per year on its computing environment and provide Avaya with written copies of the results of such penetration tests performed by Supplier or its sub–processors no more than 30 days after Supplier obtains the results or reports. 9.3. Where applications that will process Personal Data are being developed for the provision of Supplier’s services to Avaya, ensure that developers are trained on industry-standard secure developing best practices. 9.4. Ensure that applications that will process Personal Data are developed in a secure manner using Supplier’s formal, documented, process that provides evidence that application security vulnerabilities are not present prior to moving into production. Retests will be conducted at least quarterly thereafter, and after each significant change. At a minimum, application security vulnerabilities would include the SANS Top 20 and OWASP Top 10. 9.5. Application security vulnerabilities that affect Personal Data shall be corrected within a reasonable time after identification. 9.6. These requirements should be validated by tools such as dynamic application scanning and/or static code analysis.