Events

Subscribe to KUMC Events Calendar via Outlook

RSS RSS of Events

Information for:

Students
Faculty & Staff
Researchers
Patients
Prospective Employees
Alumni | Donors

Academics

ANGEL | JayDocs
The Beat
Enroll & Pay
Dykes Library
Academic Calendar
More Student Services

Email Outlook
myKUMC myKUMC
SharePoint SharePoint
HR/Pay HR/Payroll System

Patient Clinical Logging
Secure File Transfers
VPN

KUMC Leadership
Facilities & Maintenance
Human Resources
Information Resources

  1. KUMC A-Z:
  2. A
  3. B
  4. C
  5. D
  6. E
  7. F
  8. G
  9. H
  10. I
  11. J
  12. K
  13. L
  14. M
  15. N
  16. O
  17. P
  18. Q
  19. R
  20. S
  21. T
  22. U
  23. V
  24. W
  25. X
  26. Y
  27. Z
  28. all

Secure Application Development Operational Protocol

Principle

Applications developed by personnel employed or contracted by KUMC departments must meet KUMC standards for secure application development.

Purpose
The purpose of this operational protocol is to assure that the programming of custom applications conforms to best practices for secure application development.

Groups covered

All KUMC faculty, staff, and students.

Minimum Application Development Standards

All applications hosted on KUMC infrastructure must comply with the following set of minimal practices.

#

Practice

Public-facing

Contains sensitive information

1

Ensure applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, such possibilities as cross-site scripting, buffer overflow errors, and injection flaws. See http://www.owasp.org/ for more information and examples.

Required

Required

2

Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. See http://www.owasp.org/ for more information and examples.

Required

Required

3

Ensure applications authenticate users through central authentication systems where possible, specifically, Central Authentication Services (CAS), Active Directory, LDAP , or Shibboleth.

Recommended

Required

4

Establish authorizations for applications by affiliation, membership, or employment, rather than by individual.

Recommended

Recommended

5

Services or applications running on systems manipulating confidential data must implement secure (that is, encrypted) communications as required by sensitive information and integrity needs. See http://www.kumc.edu/information-resources/sensitive-information-policy.html

Recommended

Required

6

Conduct code-level security reviews with professionally trained peers for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of sensitive information, documenting the actions that were taken.

Recommended

Required

7

Maintain source code separate from compiled code, ideally in a centralized code repository like CVS or Team Foundation Services that is regularly groomed and backed up.

Recommended

Recommended

8

Locate services or applications on infrastructure that is actively managed, ie, updates are applied, backup procedures are in place, etc.

Required

Required

9

For software run on the desktop, ensure you have a process in place to manage deployment to the clients for updates and patches.

Recommended

Recommended

10

Applications and services must comply with state and federal guidelines regarding web accessibility. See: http://www.kumc.edu/information-resources/web-resource-accessibility.html

Required

Required

 

Web-based applications should comply with university visual identity standards

Required

Required

 

Additional notes:

  • Departments are encouraged to consult with the Department of Information Resources prior to engaging any custom application development to assure that centralized, freely available full-time programming resources can't be used in some capacity, including defining requirements, scope, architecture, security, data modeling, project management, etc.
  • Applications must work on existing infrastructure.
  • All applications will be reviewed by Information Resources programming staff before being loaded on KUMC web servers or otherwise made available for use.
  • On request, source code and documentation will be provided to Information Resources.
  • Prior to installation on KUMC's production environment, applications will be loaded on the IR-managed testing environment. IR staff will assist in this process.
  • Departments should assign one or more staff as Application Administrator(s) to manage the day-to-day activities associated with the application and a point-of-contact for working with IR on on-going technical activities including loading patches/updates, backup recovery, and configuration.
  • Departments should make provision for ongoing technical support of the application, whether through local programming resources, an SLA with Information Resources, or a maintenance contract.

Enforcement

Systems not in compliance will be disconnected from the network or disabled.

For related information

See Supported Development Environments
See the Web Development Resource Guide
See Working with Vendor Systems

Contact Information

For information on this policy, please contact:

Jameson Watkins
Director of Internet Development
Department of Information Resources
University of Kansas Medical Center
4021 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7387

Steffani Webb
Associate Vice Chancellor for Information Resources
Chief Information Officer (Interim)
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7300

Revised February 2012

Last modified: Jan 22, 2013