SAMA Cyber Security Framework Compliance
The SAMA Cyber Security Framework is mandatory for Saudi financial institutions. Learn how ImmuniWeb supports its vulnerability management and penetration testing requirements.
Cumplimiento del Marco de Ciberseguridad (1.0) de la Autoridad Monetaria de Arabia Saudita (SAMA)
What Is the SAMA Cyber Security Framework?
The SAMA CSF sets the cybersecurity baseline for Saudi financial institutions. It is organized into main domains - covering leadership and governance, risk management and compliance, operations and technology, and third-party cybersecurity - each with subdomains and controls.
Controls are assessed against a maturity model, and Member Organizations submit periodic self-assessments to SAMA. Supervisory reviews expect demonstrable evidence - including penetration testing results - that technical controls are functioning, not merely documented.
Descubre cómo ImmuniWeb facilita la gestión de vulnerabilidades y las pruebas de penetración del SAMA CSF para las aplicaciones que ejecuta tu institución. Solicita una demostración · o ejecuta una prueba gratuita de la Community Edition.
¿Quién debe cumplir con el SAMA CSF?
The SAMA CSF applies to all SAMA Member Organizations:
- Banks and insurers regulated by the Saudi Central Bank.
- Finance companies and credit bureaus under SAMA supervision.
- Infraestructura del mercado financiero y otras entidades reguladas por SAMA.
The web, mobile and API applications these institutions run fall within the framework's technical controls.
Key SAMA CSF Requirements for Application Security
Within the operations and technology domain, several controls drive application-security work:
- Secure software development: apply a secure software development life cycle for applications.
- Gestión de vulnerabilidades: realizar evaluaciones periódicas de vulnerabilidades y subsanar los hallazgos dentro de los plazos previstos por la SAMA.
- Penetration testing: perform regular, structured penetration testing as evidence that technical controls work - distinct from vulnerability scanning.
SAMA CSF Application-Security Requirements in Depth
Vulnerability Management and Penetration Testing
SAMA expects institutions to run regular vulnerability assessments and structured penetration testing, with critical and high findings remediated within expected timeframes. Supervisory reviews specifically look for penetration testing evidence, so combining continuous scanning with periodic manual penetration testing is key.
Desarrollo seguro de software
The framework expects a secure software development life cycle. Embedding security testing into development and testing applications before release keeps them secure and provides maturity evidence against the SAMA CSF.
Riesgos comunes en aplicaciones web y móviles a abordar
The application vulnerabilities the framework expects you to find map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Fallos Criptográficos: cifrado débil o ausente que expone datos sensibles.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — falta de controles de seguridad por diseño, no solo por errores.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Fallos de identificación y autenticación: gestión débil de inicios de sesión, sesiones o credenciales.
- Fallos de integridad del software y los datos: actualizaciones no fiables, procesos de CI/CD inseguros.
- Fallos en el registro y monitoreo de seguridad: ataques que pasan desapercibidos.
- Server-Side Request Forgery (SSRF): el servidor es engañado para realizar solicitudes maliciosas.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support SAMA CSF Compliance with ImmuniWeb
- Map your assets. Inventory internet-facing apps and APIs with ImmuniWeb Discovery.
- Manage vulnerabilities with Neuron scanning and tracked remediation.
- Penetration test web and mobile applications with On-Demand and MobileSuite.
- Secure development with Continuous in CI/CD.
- Remediate within SLA using actionable, zero-false-positive reports.
- Prepare evidence for the annual SAMA self-assessment and supervisory reviews.
Cómo le ayuda ImmuniWeb a cumplir con el SAMA CSF
ImmuniWeb supports the vulnerability-management, penetration-testing and secure-development expectations of the SAMA CSF with assessment-ready evidence.
| Requisito | Lo que requiere | Productos ImmuniWeb |
|---|---|---|
| Pruebas de penetración | Pruebas de penetración periódicas y estructuradas. | On-Demand, MobileSuite |
| Vulnerability management | Regular assessments and remediation. | Neuron, Discovery |
| Desarrollo seguro | Secure software development life cycle. | Continuous, On-Demand |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface - producing the evidence SAMA supervisory reviews expect.
El CSF de SAMA frente a los marcos internacionales
Si ya trabaja con estándares internacionales, las mismas pruebas de ImmuniWeb apoyan todos ellos:
| Framework | Perspectiva de la seguridad de aplicaciones | Cómo mapea ImmuniWeb |
|---|---|---|
| SAMA CSF | Vulnerability management + penetration testing | Web/mobile pentest, scanning, ASM |
| Saudi NCA ECC | National Essential Cybersecurity Controls | Las mismas pruebas cubren ambos |
| ISO/IEC 27001 | Controles técnicos del Anexo A | Pruebas como evidencia de controles |
| PCI DSS 4.0.1 | Requisitos 6 y 11 | Pentest + escaneo de aplicaciones web |
Pruebas de penetración frente a escaneo de seguridad
Both are needed. El escaneo automatizado (DAST) proporciona una cobertura amplia y frecuente, siendo ideal para las pruebas continuas en CI/CD; las pruebas de penetración manuales detectan vulnerabilidades de lógica de negocio y complejas que los escáneres pasan por alto, y ofrecen la profundidad que esperan los auditores y reguladores. Combina el escaneo continuo con pruebas de penetración manuales periódicas, y vuelve a probar tras cambios significativos.
Lista de verificación de cumplimiento (Application Security)
- Inventario de aplicaciones, API y activos expuestos a Internet
- Regular vulnerability assessments performed
- Pruebas de penetración estructuradas realizadas
- Critical/high findings remediated within expected timeframes
- Secure software development life cycle applied
- Maturity targets met (typically Level 3 and above)
- Evidence prepared for the annual SAMA self-assessment
Why SAMA CSF Compliance Matters
The SAMA CSF is mandatory for Saudi financial institutions, and the Saudi Central Bank conducts supervisory reviews and can issue formal warnings, directives and corrective-action requirements. Institutions are expected to reach defined maturity levels and to evidence that controls actually work.
Because web, mobile and API applications are a primary attack surface for financial institutions, demonstrable penetration testing and vulnerability management are among the most direct ways to evidence the framework's technical controls.