What can be done to improve application security within the QNRCS? That’s what we intend to answer in these lines. At the end of this article, you will know where to find the essential information to drive and maintain your company’s applications secure.

Organisations established in Portugal of all sizes, public or private, from any sector of activity should be aware of the certification of compliance with the National Cybersecurity Reference Framework (EC QNRCS). This reference framework, designed by the National Cybersecurity Center (CNCS) and constantly updated, allows organisations to certify, through certification, the implementation of their organisational, procedural, technological and human cybersecurity practices.

Learn more: List of legal, normative and regulatory references

What are the objectives of the QNRCS?

The QNRCS is fundamental for companies that have, need, or want to achieve a recognised level of cybersecurity maturity to provide confidence in their security and the services they provide to their stakeholders. Among other objectives, organisations must take the measures set forth in the QNRCS for Identification, Protection, Detection, Response, and Recovery to address threats that could jeopardise the security of networks and information systems.

Compliance with the QNRCS, including certification, helps to meet legal requirements and empower organisations to prevent and avoid cybersecurity incidents. In early February, the Secretary of State for Digitalization and Administrative Modernization, Mário Campolargo, warned of the need for companies to comply with the regulatory framework in force and called for the adoption of safe behaviour on the Internet.

Read more: Decree-law number 65/2021, July 30th| DRE

Dealing with security risk

The QNRCS describes the security requirements and identifies the measures to be taken so that any entity can meet the minimum-security standards for the networks and information systems of companies and their partners.

Compliance with the QNRCS and other regulations helps organisations combat cybersecurity threats and risks, avoiding making common mistakes and contributing to the review and change of approach, keeping pace with the unstoppable dynamics of new threat development.

Table 1 – Main QNRC Categories involving application security

Security ObjectiveCategoryIDTitleNIST 800-53 rev.4
Identify (ID)Risk AssessmentID.RA-1Asset vulnerabilities are identified and documentedCA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
Identify (ID)Supply Chain Risk ManagementID.SC-3Supply chain contracts respect the approved management planSA-9, SA-11, SA-12, PM-9
Protect (PR)Information Protection Processes and ProceduresPR.IP-2A System Development Life Cycle to manage systems is implementedPL-8, SA-3, SA-4, SA-8, SA-10, SA11, SA-12, SA-15, SA-17, SI-12, SI-13, SI-14, SI-16, SI-17

Achieving application Security

Application Security is one aspect of cybersecurity. NIST 800-54 rev. 4 provides the controls that must be complied with, and the controls that apply to application security are included in the “System and Service Acquisition (SA)” family.

The major categories of the QNRCS involving application security are scattered throughout the document. Balwurk has identified them to help your organisation in its work.

Risk Assessment (ID.RA-1): Asset vulnerabilities are identified and documented

Vulnerability management is the main process organisations should do to assess risk in the information security context. All vulnerabilities that are known and are not yet mitigated or fixed should be evaluated by the organisation’s risk assessment processes and should be formally dealt with. The strategy to mitigate these risks should follow the risk management methodology put in place by the organisation.

Process Implementation

The organisation should ensure its risk assessment processes include an asset vulnerability classification taxonomy for the ones that can be exploitable by possible threats and a record for all known vulnerabilities not yet mitigated or fixed that are identified by its vulnerability management process.


Support document for risk management; and Records of the execution of the risk management process.

Supply Chain Risk Management (ID.GL-3): Supply chain contracts respect the approved management plan

The organisation should ensure that suppliers follow their rules for dealing with and securing digital information. Supply chain contracts should include adequate measures to ensure compliance with the objectives defined in the internal information security policy and the plan for the supply chain management.

Process Implementation

The organisation should ensure its supply chain management policy mandates:

  • Inclusion of confidentiality clauses on established contracts;
  • Signing of Non-Disclosure Agreements with suppliers and their employees.

The confidentiality clauses and NDA should mandate confidentiality in treating information:

  • From the organisation;
  • From clients.
  • From other suppliers.


Support document for supply chain risk management, defining the required contractual clauses for suppliers

Information Protection Processes and Procedures (PR.PI-2): A System Development Life Cycle to manage systems is implemented

The organisation should apply sound engineering principles for information security in the specification, design, development, implementation and change of networks and information systems. These principles should be applied both to new systems and existing systems that are going through significant changes. For legacy systems, these principles should be applied as possible, considering the state of hardware, software and firmware.

Technical Implementation:

  • Continuous integration and continuous delivery system;
  • Source code version control tool;
  • Document management about network and information security in an enterprise content management system.

Process Implementation.

The organisation should:

  • Define the security requirements for software projects;
  • Manage the lifecycle of networks and information systems considering:
    • Layered protections;
    • Principles of security by default;
    • Definition of physical and logical barriers and attack surface areas;
    • Identification of use cases, threats, attacker profiles, attack vectors and patterns to consider compensatory controls;
  • Define and document roles and responsibilities in the development lifecycle;
  • Identify employees that have the responsibility for ensuring secure software development in the development lifecycle;
  • Integrate risk management information in the development lifecycle.


  • Documents with security requirements for software projects;
  • Policy for security software development;
  • Audit of past penetration tests.

Read: The impact of the new Cyber Resilience Act proposal – Balwurk

Other categories related to application security

To delve deeper into the subject of security objectives that directly involve application security, have a look at the following table, compiled for you by Balwurk.

It is critical to have all application security aligned with these goals. There are aspects that you may consider common sense, but organising them in a framework helps your company not to miss anything.

When it comes to asset management, having External information systems catalogued or resources prioritised based on their classification, criticality, and business value is fundamental.

Supply chain alignment

In the business environment, it is critical to be aligned with a supply chain. An organisation must identify and communicate its role in the supply chain and, above all, prioritise its mission, vision, objectives, and activities, which must also be defined and communicated to the supply chain.

An organisation must be inserted securely in its environment. Thus, it must establish dependencies and functions critical to the delivery of critical services and ensures that resiliency requirements to support the delivery of critical services are established for all operational states.

There must be a risk assessment strategy where asset vulnerabilities are identified and documented, and the organisational risk handling strategy is determined and clearly expressed.

Since an organisation can’t survive without a supply chain, this must be flawless. It’s fundamental to identify, assess, manage, and agree about the supply chain risk management processes your company defined. That also implies a supply chain risk evaluation and the assurance that the supply chain contracts respect the approved management plan. It’s also beneficial to routinely assess the suppliers and third-party partners.

Remember, the question is not if there will be some security breach.
The question is when. And you must be prepared.

Focus on Protection

When advancing to Protection, remember that third-party stakeholders must understand their roles and responsibilities, so you should invest in some awareness and training for your partners.

Your organisation must have an integrity-checking mechanism to verify hardware integrity and create and maintain a baseline configuration of information technology/industrial control systems.

It’s also fundamental, and this is one of the main issues, to have implemented a System Development Life Cycle (SDLC) to manage systems. And assure you have in place a configuration change control processes are in place. Don’t forget to include cybersecurity in human resources practices and to implement mechanisms to achieve resilience requirements in normal and adverse situations.

Finally, you must be prepared to face the threats. External service provider activity must be monitored to detect potential cybersecurity events and assure that the detection activities comply with all applicable requirements.

By reading this article, you have learned what your company needs to address in terms of application security and within the scope of the QNRCS.