Secure Application Development Guidelines
This Policy establishes guidelines to ensure that risk associated with university applications are properly managed. This includes but is not limited to the following:
- Units are encouraged to consult with University Technology (uTech) and Administrative Information Management Systems (AIMS) prior to engaging any custom application development to assure that centralized, freely available full-time programming resources can be used in some capacity, including defining requirements, scope, architecture, security, data modeling, project management, etc.
- It is highly recommended that any major application development effort or any application development effort involving sensitive data follow the university Secure Web Application Development Standards (ECOM login required).
- Applications must work on existing infrastructure.
- The office of the CTSO reserves the right to have an application assessed prior to being made available for use. Depending on the risk to the university this may include having the application assessed by a third party at department expense.
- On request, source code and documentation will be provided to the office of the CTSO or internal audit (may apply to custom code developed by a 3rd party for the university)
- Prior to installation on WIU’s production environment, major applications or applications that touch sensitive data must be tested on an uTech-managed test environment.
- Units should make provision for ongoing technical support of the application, whether through local programming resources, a SLA with University Technology, or a maintenance contract.
- No programs will run at a level that bypasses security
- Units must complete an application authorization form (ECOM login required) which provides for the authorization, inventory and tracking of future application development efforts.
- Custom software development requires but is not limited to the following:
- An application firewall should be in place to provide an umbrella of security for yet to be remediated applications and yet unknown (zero day) vulnerabilities.
- It is recommended that peer code reviews and walkthroughs be done.
Applications must be scanned for security vulnerabilities and remediated prior to going into production. This requirement can be met by vendors providing a detailed independent 3rd party security audit reports (security vendor must be reputable such as VeriSign, Foundstone, etc.) showing that all high level or higher security vulnerabilities have been remediated or a reasonable remediation timeline has been documented and agreed upon. Minimally annually University Technology must conduct penetration testing of network components and applications.