Secure Web Application Development, Information Technology

Title: Secure Web Application Development, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  Storrs and Regionals
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: http://security.uconn.edu/

This policy is available in the Information Security Policy Manual.

Departments will ensure that development, test, and production environments are separated. Confidential Data must not be used in the development or test environments.

All applications must be tested for known security vulnerabilities (such as the OWASP Top Ten) prior to being placed in production and at regular intervals thereafter.

Production application code shall not be modified directly without following an emergency protocol that is developed by the department, approved by the Data Steward, and includes post-emergency testing procedures.

Web servers that host multiple sites may not contain Confidential Data.

All test data and accounts shall be removed prior to systems becoming active in production.

The use of industry-standard encryption for data in transit is required for applications that process, store, or transmit Confidential Data.

Authentication must always be done over encrypted connections. University enterprise Central Authentication Service (CAS), Shibboleth, or Active Directory services must perform authentication for all applications that process, store, or transmit Confidential or Protected Data.

Web application and transaction logging for applications that process, store, or transmit Confidential Data or Regulated Data must submit system-generated logs to the Information Security Office’s central logging system.

Departments implementing applications must retain records of security testing performed in accordance with this policy.

Policy Created: May 16, 2012