Secure Application Development Operational Protocol
PrincipleApplications developed by personnel employed or contracted by KUMC departments must meet KUMC standards for secure application development.
Purpose
The purpose of this operational protocol is to assure that the programming of custom applications conforms to best practices for secure application development.
Groups covered
All KUMC faculty, staff, and students.
Minimum Application Development Standards
All applications hosted on KUMC infrastructure must comply with the following set of minimal practices.
|
# |
Practice |
Public-facing |
Contains sensitive information |
|
1 |
Ensure applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, such possibilities as cross-site scripting, buffer overflow errors, and injection flaws. See http://www.owasp.org/ for more information and examples. |
Required |
Required |
|
2 |
Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. See http://www.owasp.org/ for more information and examples. |
Required |
Required |
|
3 |
Ensure applications authenticate users through central authentication systems where possible, specifically, Central Authentication Services (CAS), Active Directory, LDAP , or Shibboleth. |
Recommended |
Required |
|
4 |
Establish authorizations for applications by affiliation, membership, or employment, rather than by individual. |
Recommended |
Recommended |
|
5 |
Services or applications running on systems manipulating confidential data must implement secure (that is, encrypted) communications as required by sensitive information and integrity needs. See http://www.kumc.edu/information-resources/sensitive-information-policy.html |
Recommended |
Required |
|
6 |
Conduct code-level security reviews with professionally trained peers for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of sensitive information, documenting the actions that were taken. |
Recommended |
Required |
|
7 |
Maintain source code separate from compiled code, ideally in a centralized code repository like CVS or Team Foundation Services that is regularly groomed and backed up. |
Recommended |
Recommended |
|
8 |
Locate services or applications on infrastructure that is actively managed, ie, updates are applied, backup procedures are in place, etc. |
Required |
Required |
|
9 |
For software run on the desktop, ensure you have a process in place to manage deployment to the clients for updates and patches. |
Recommended |
Recommended |
|
10 |
Applications and services must comply with state and federal guidelines regarding web accessibility. See: http://www.kumc.edu/information-resources/web-resource-accessibility.html |
Required |
Required |
|
|
Web-based applications should comply with university visual identity standards |
Required |
Required |
Additional notes:
- Departments are encouraged to consult with the Department of Information Resources prior to engaging any custom application development to assure that centralized, freely available full-time programming resources can't be used in some capacity, including defining requirements, scope, architecture, security, data modeling, project management, etc.
- Applications must work on existing infrastructure.
- All applications will be reviewed by Information Resources programming staff before being loaded on KUMC web servers or otherwise made available for use.
- On request, source code and documentation will be provided to Information Resources.
- Prior to installation on KUMC's production environment, applications will be loaded on the IR-managed testing environment. IR staff will assist in this process.
- Departments should assign one or more staff as Application Administrator(s) to manage the day-to-day activities associated with the application and a point-of-contact for working with IR on on-going technical activities including loading patches/updates, backup recovery, and configuration.
- Departments should make provision for ongoing technical support of the application, whether through local programming resources, an SLA with Information Resources, or a maintenance contract.
Enforcement
Systems not in compliance will be disconnected from the network or disabled.
For related information
See Supported Development Environments
See the Web Development Resource Guide
See Working with Vendor Systems
Contact Information
For information on this policy, please contact:
Jameson Watkins
Director of Internet Development
Department of Information Resources
University of Kansas Medical Center
4021 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7387
Steffani Webb
Associate Vice Chancellor for Information Resources
Chief Information Officer (Interim)
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7300
Revised February 2012
top