SAMA Cyber Security Framework Compliance
The SAMA Cyber Security Framework is mandatory for Saudi financial institutions. Learn how ImmuniWeb supports its vulnerability management and penetration testing requirements.
Conformité au cadre de cybersécurité (1.0) de l'Autorité monétaire saoudienne (SAMA)
What Is the SAMA Cyber Security Framework?
The SAMA CSF sets the cybersecurity baseline for Saudi financial institutions. It is organized into main domains - covering leadership and governance, risk management and compliance, operations and technology, and third-party cybersecurity - each with subdomains and controls.
Les contrôles sont évalués selon un modèle de maturité, et les organisations membres soumettent des auto-évaluations périodiques à la SAMA. Les examens de supervision exigent des preuves tangibles – notamment les résultats de tests d’intrusion – démontrant que les contrôles techniques sont effectivement opérationnels, et non pas simplement documentés.
See how ImmuniWeb supports SAMA CSF vulnerability management and penetration testing - for the applications your institution runs. Request a demo · or run a free Community Edition test.
Who Must Comply with SAMA CSF?
The SAMA CSF applies to all SAMA Member Organizations:
- Banks and insurers regulated by the Saudi Central Bank.
- Finance companies and credit bureaus under SAMA supervision.
- Financial market infrastructure and other SAMA-regulated entities.
The web, mobile and API applications these institutions run fall within the framework's technical controls.
Key SAMA CSF Requirements for Application Security
Within the operations and technology domain, several controls drive application-security work:
- Développement logiciel sécurisé:appliquer un cycle de vie de développement logiciel sécurisé pour les applications.
- Vulnerability management: conduct regular vulnerability assessments and remediate findings within SAMA's expected timeframes.
- Penetration testing: perform regular, structured penetration testing as evidence that technical controls work - distinct from vulnerability scanning.
SAMA CSF Application-Security Requirements in Depth
Vulnerability Management and Penetration Testing
SAMA expects institutions to run regular vulnerability assessments and structured penetration testing, with critical and high findings remediated within expected timeframes. Supervisory reviews specifically look for penetration testing evidence, so combining continuous scanning with periodic manual penetration testing is key.
Secure Software Development
The framework expects a secure software development life cycle. Embedding security testing into development and testing applications before release keeps them secure and provides maturity evidence against the SAMA CSF.
Risques courants des applications Web et mobiles à remédier
The application vulnerabilities the framework expects you to find map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Échecs cryptographiques — chiffrement faible ou absent exposant des données sensibles.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — des contrôles de sécurité manquants par conception, et non pas seulement par bug.
- Mauvaise configuration de sécurité — configuration par défaut, incomplète ou non sécurisée.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Échecs d'intégrité des logiciels et des données — mises à jour non fiables, pipelines CI/CD non sécurisés.
- Échecs de journalisation et de surveillance de la sécurité — les attaques passent inaperçues.
- Server-Side Request Forgery (SSRF) — le serveur est induit en erreur pour effectuer des requêtes malveillantes.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support SAMA CSF Compliance with ImmuniWeb
- Map your assets. Inventory internet-facing apps and APIs with ImmuniWeb Discovery.
- Manage vulnerabilities with Neuron scanning and tracked remediation.
- Penetration test web and mobile applications with On-Demand and MobileSuite.
- Secure development with Continuous in CI/CD.
- Remediate within SLA using actionable, zero-false-positive reports.
- Prepare evidence for the annual SAMA self-assessment and supervisory reviews.
How ImmuniWeb Helps You Achieve SAMA CSF Compliance
ImmuniWeb supports the vulnerability-management, penetration-testing and secure-development expectations of the SAMA CSF with assessment-ready evidence.
| Exigence | Ce que cela nécessite | Produits ImmuniWeb |
|---|---|---|
| Penetration testing | Regular, structured penetration testing. | On-Demand, MobileSuite |
| Vulnerability management | Regular assessments and remediation. | Neuron, Discovery |
| Secure development | Secure software development life cycle. | Continuous, On-Demand |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing; Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps your attack surface - producing the evidence SAMA supervisory reviews expect.
SAMA CSF vs International Frameworks
Si vous respectez déjà des normes internationales, les mêmes tests ImmuniWeb les couvrent toutes:
| Framework | Perspective sécurité des applications | Comment ImmuniWeb s'aligne |
|---|---|---|
| SAMA CSF | Vulnerability management + penetration testing | Web/mobile pentest, scanning, ASM |
| Saudi NCA ECC | National Essential Cybersecurity Controls | Les mêmes tests couvrent les deux |
| ISO/IEC 27001 | Annexe A: contrôles techniques | Tests comme preuve de contrôle |
| PCI DSS 4.0.1 | Exigences 6 et 11 | Web app pentest + scanning |
Tests d'intrusion vs scans de sécurité
Les deux sont nécessaires. Le scan automatisé (DAST) offre une couverture large et fréquente et est idéal pour les tests continus dans le CI/CD ; le penetration testing manuel trouve les vulnérabilités de logique métier et complexes que les scanners manquent et produit la profondeur attendue par les auditeurs et les régulateurs. Combinez le scanning continu avec du penetration testing manuel périodique, et re-testez après des changements significatifs.
Liste de contrôle de conformité (Sécurité des applications)
- Inventory of internet-facing apps, APIs and assets
- Regular vulnerability assessments performed
- Structured penetration testing performed
- Critical/high findings remediated within expected timeframes
- Application d’un cycle de vie de développement logiciel sécurisé
- Maturity targets met (typically Level 3 and above)
- Evidence prepared for the annual SAMA self-assessment
Why SAMA CSF Compliance Matters
The SAMA CSF is mandatory for Saudi financial institutions, and the Saudi Central Bank conducts supervisory reviews and can issue formal warnings, directives and corrective-action requirements. Institutions are expected to reach defined maturity levels and to evidence that controls actually work.
Because web, mobile and API applications are a primary attack surface for financial institutions, demonstrable penetration testing and vulnerability management are among the most direct ways to evidence the framework's technical controls.