Information Resources
Information Resources > Secure Application Development Operational Protocol
Information Resources > Secure Application Development Operational Protocol
Applications developed by personnel employed or contracted by KUMC departments must meet KUMC standards for secure application development.
Purpose
The purpose of this operational protocol is to assure that the programming of custom applications conforms to best practices for secure application development.
Groups covered
All KUMC faculty, staff, and students.
Minimum Application Development Standards
All applications hosted on KUMC infrastructure must comply with the following set of minimal practices.
|
# |
Practice |
Public-facing |
Contains sensitive information |
|
1 |
Ensure applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, such possibilities as cross-site scripting, buffer overflow errors, and injection flaws. See http://www.owasp.org/ for more information and examples. |
Required |
Required |
|
2 |
Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. See http://www.owasp.org/ for more information and examples. |
Required |
Required |
|
3 |
Ensure applications authenticate users through central authentication systems where possible, specifically, Central Authentication Services (CAS), Active Directory, LDAP , or Shibboleth. |
Recommended |
Required |
|
4 |
Establish authorizations for applications by affiliation, membership, or employment, rather than by individual. |
Recommended |
Recommended |
|
5 |
Services or applications running on systems manipulating confidential data must implement secure (that is, encrypted) communications as required by sensitive information and integrity needs. See http://www.kumc.edu/information-resources/sensitive-information-policy.html |
Recommended |
Required |
|
6 |
Conduct code-level security reviews with professionally trained peers for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of sensitive information, documenting the actions that were taken. |
Recommended |
Required |
|
7 |
Maintain source code separate from compiled code, ideally in a centralized code repository like CVS or Team Foundation Services that is regularly groomed and backed up. |
Recommended |
Recommended |
|
8 |
Locate services or applications on infrastructure that is actively managed, ie, updates are applied, backup procedures are in place, etc. |
Required |
Required |
|
9 |
For software run on the desktop, ensure you have a process in place to manage deployment to the clients for updates and patches. |
Recommended |
Recommended |
|
10 |
Applications and services must comply with state and federal guidelines regarding web accessibility. See: http://www.kumc.edu/information-resources/web-resource-accessibility.html |
Required |
Required |
|
|
Web-based applications should comply with university visual identity standards |
Required |
Required |
Additional notes:
Enforcement
Systems not in compliance will be disconnected from the network or disabled.
For related information
See Supported Development Environments
See the Web Development Resource Guide
See Working with Vendor Systems
Contact Information
For information on this policy, please contact:
Jameson Watkins
Director of Internet Development
Department of Information Resources
University of Kansas Medical Center
4021 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7387
Steffani Webb
Associate Vice Chancellor for Information Resources
Chief Information Officer (Interim)
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7300
Revised February 2012