The term "Application System" is very big. First, you must divide the classes so that you can have a global plan.
Currently, we can divide it into three fields: hardware, software, and wet parts to test the security of application systems.
Hardware: the physical environment of the application system (development environment, test environment, production environment), the computer, network device, and network infrastructure used.
Software: development tools, testing tools, etc.; rules and regulations, laws and regulations, memos, processes, documents, etc;
Wet Parts: persons involved in all aspects of the application system.
I think that no matter whether the current standard is cc or 17799, or the lifecycle, ITIL, or it internal control, these categories cannot be escaped.
The hardware feature is that it should not be changed frequently. The software changes frequently. The wet parts are completely uncontrollable. At present, our practice is to rely on the Coordination of hardware and software to restrict the wet parts so that they can be controlled as far as possible.