All the workstations in production must count with an unalterable security suite (Anti-virus, Antispyware, Host Firewall, Host-IDS, Host-IPS).
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
NERC CIP-003-8. Attachment 1. Section 5 - 5.1 Each Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems. The plan(s) shall include antivirus software, or other method(s) to mitigate the introduction of malicious code.
NERC CIP-005-5. B. Requirements and measures. R1.5 Have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications.
OWASP-ASVS v4.0.1 V1.14 Configuration Architectural Requirements.(1.14.1) Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets.
OWASP-ASVS v4.0.1 V12.4 File Storage Requirements.(12.4.2) Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload of known malicious content.
PCI DSS v3.2.1 - Requirement 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).