Information Security Standards

APPLICATION DEVELOPMENT SECURITY

GENERAL

The purpose of this procedure is to establish basic processes and practices to ensure the development, deployment and maintenance of more secure applications.

APPLICABILITY

This procedure applies to all developers of University information resources.

PROCEDURES

1. Applications, application services, and application development tools should connect using encrypted protocols whenever sensitive data, including passwords, is being transferred. This applies during the development of the applications, as well as during the lifetime of the application.

2. Application connections to external services, including LDAP, SMB, and FTP, should use an encrypted protocol if it is available.

3. Application connections to databases should be encrypted between the application host and the database host.

4. Access control lists (ACLs) should be utilized to ensure that only necessary access is granted to developers or applications.

5. Passwords, including passwords used by the application, should be stored in an encrypted format if possible.

6. SQL queries should use bind variables, rather than concatenating strings, to minimize the chances of an SQL injection.

7. Applications should use SSL encryption between the user and the application host if sensitive data is transferred. Applications should prefer SSL even if sensitive data is not transferred.

8. Applications should use server-side validation, whether or not client-side validation is used.

9. Application logging must produce logs that are required for debugging or auditing, and may produce logs of normal operation.

10. Web-based applications must use the web application template approved by the director of Application Solutions.

HISTORY

Created September 11, 2013

Last Updated March 31, 2014