UC Secure Software Development Standard

Similar documents
UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Solutions Business Manager Web Application Security Assessment

C1: Define Security Requirements

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

SECURITY & PRIVACY DOCUMENTATION

A company built on security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

EasyCrypt passes an independent security audit

Security Solutions. Overview. Business Needs

Secure Access & SWIFT Customer Security Controls Framework

SDR Guide to Complete the SDR

Checklist: Credit Union Information Security and Privacy Policies

Effective Strategies for Managing Cybersecurity Risks

The Common Controls Framework BY ADOBE

Copyright

Secure Development Guide

QuickBooks Online Security White Paper July 2017

Credentials Policy. Document Summary

Oracle Data Cloud ( ODC ) Inbound Security Policies

TIBCO Cloud Integration Security Overview

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

U.S. E-Authentication Interoperability Lab Engineer

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

10 FOCUS AREAS FOR BREACH PREVENTION

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Secure Application Development. OWASP September 28, The OWASP Foundation

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

HIPAA Regulatory Compliance

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

IoT & SCADA Cyber Security Services

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Scan Report Executive Summary

Procurement Language for Supply Chain Cyber Assurance

Cloud FastPath: Highly Secure Data Transfer

Simplifying Application Security and Compliance with the OWASP Top 10

Web Application Vulnerabilities: OWASP Top 10 Revisited

DreamFactory Security Guide

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

The requirements were developed with the following objectives in mind:

BFB-IS-3: Electronic Information Security

V Conference on Application Security and Modern Technologies

Information Security Policy

the SWIFT Customer Security

CS 356 Operating System Security. Fall 2013

Evaluating the Security Risks of Static vs. Dynamic Websites

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Juniper Vendor Security Requirements

CoreMax Consulting s Cyber Security Roadmap

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Cyber Security Program

epldt Web Builder Security March 2017

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

UCOP ITS Systemwide CISO Office Systemwide IT Policy

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Training Program Catalog SECURITY INNOVATION

How NOT To Get Hacked

Automating the Top 20 CIS Critical Security Controls

Application Layer Security

W H IT E P A P E R. Salesforce Security for the IT Executive

Cyber Security - Information Security & Testing

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Information Security Controls Policy

Exploiting and Defending: Common Web Application Vulnerabilities

Security+ SY0-501 Study Guide Table of Contents

Security Communications and Awareness

MigrationWiz Security Overview

Secure coding practices

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Product Security Program

Welcome to the OWASP TOP 10

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

CSWAE Certified Secure Web Application Engineer

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

TRAINING CURRICULUM 2017 Q2

Security Architecture

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

7.16 INFORMATION TECHNOLOGY SECURITY

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Guidelines for Data Protection

Robust Defenses for Cross-Site Request Forgery Review

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

OWASP InfoSec Romania 2013

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

SECURITY TESTING. Towards a safer web world

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

90% of data breaches are caused by software vulnerabilities.

Transcription:

UCOP ITS Systemwide CISO Office Systemwide IT Policy UC Secure Software Development Standard Revision History Date: By: Contact Information: Description: 04/02/18 Robert Smith robert.smith@ucop.edu Initial issue of the Standard. Approved by the CISOs for consideration by ITLC and shared governance. Interim until approved by ITLC.

Table of Contents 1 Background and Purpose...3 2 Scope...3 3 Definitions...4 4 Requirements for Secure Software Development...4 4.1 Software Development Process...4 4.2 Input Validation...5 4.3 Exception and Error Handling...5 4.4 Cross Site Scripting (XSS) and Invalidated Redirects/Forwards...6 4.5 Insecure Direct Object References...6 4.6 Logging...6 4.7 TLS and Secure APIs...6 4.8 Credentials/Passphrases...7 4.9 Session and Logout...7 4.10 Federated Authentication / SAML / Shibboleth...7 4.11 File Management...8 4.12 Secure Configuration...8 4.13 Documentation...8 4.14 Version Control...8 5 References...9 6 Standards...9 7 UC Policy...9 Last Updated: 03/12/2018 Page 2 of 10 Editor: Robert Smith

1 Background and Purpose 2 Scope This Standard defines the requirements for secure software development. These projects are sometimes called custom, in-house or open-source software applications. This Standard must be used in conjunction with UC s information security policy, BFB-IS- 3 Electronic Information Security. Full-featured and robust programing languages and development platforms can weaken our cyber defense if implemented incorrectly. The risk is so common that almost every penetration testing report contains a chapter on exploiting application weaknesses. Proper software development is required as part of the cyber risk management program. Applications, regardless of where they are hosted or where they run, are often not secure by default and require specific steps to achieve a secure outcome. Many website samples and vendor materials focus on getting applications to work with a minimum investment of time and without accounting for ongoing support costs. Even free opensource software can pose significant or important cyber risks. It is thus important to evaluate open-source software properly, too. Attackers can use poorly constructed applications to compromise UC Institutional Information and/or IT Resources or make it possible to use UC IT Resources to do harm to others. As outlined in IS-3, security is part of the entire system lifecycle. The best time to start applying good security principles is before development when requirements are created as part of an overall security architecture. There are many resources available to help select, design, architect, implement and test software and applications to ensure that they are secure. This Standard establishes a minimum set of practices to manage cyber risk. UISLs and IT Workforce Members should also consider reducing cyber risk through: Software and IT Resource architectures. Data minimization (e.g., collecting only the data needed, focusing on a specific purpose). Interface design and dependency management. This Standard applies to all Locations. This Standard applies to all new software developed by or for the University of California as a network accessible production application: For business and administrative purposes; When contracts or grants set forth security requirements or concerns; When privacy or confidentiality is involved; and When there are regulatory requirements that include application security. Note: This Standard does not apply to research computing; academic experiments; or student projects not otherwise covered above, provided there is no processing, storing or transmitting of Institutional Information classified at Protection Level 3 or higher. Last Updated: 03/12/2018 Page 3 of 10 Editor: Robert Smith

Currently deployed or existing systems or applications that are processing, storing or transmitting Institutional Information classified at Protection Level 3 or higher must comply with this Standard when: A specific risk assessment indicates high risk to UC or data subjects. A major or substantive upgrade occurs. 3 Definitions None 4 Requirements for Secure Software Development All software benefits from its developer s adherence to secure software development practices regardless of the Protection Level (PL) or Availability Level (AL) classification associated with the Institutional Information processed, stored or transmitted. Software does not exist in a vacuum (e.g., it is often collocated with other applications); a weakness in one application can become an attack vector to gain access to other applications or data. Secure practices for all software development are a vital part of adequate cyber risk management. IT Workforce Members must follow secure software development practices during the entire software development lifecycle and implement controls appropriately. The layering of security controls helps prevent or detect breach attempts and can reduce the time required to detect and respond to attackers. Even applications that process only Institutional Information classified at Protection Level 1 need to be secure so they are not exploited to attack users with malware downloads or redirects to malicious sites. Attackers can use vulnerabilities in these applications to gain access to internal IT Resources with a higher Protection Level. 4.1 Software Development Process Secure software development includes integrating security in different phases of the software development lifecycle (SDLC), such as requirements, design, implementation and testing. The basic task of security requirement engineering is to identify and document actions needed for developing secure software systems. Security elements of the SDLC must include: Planning to meet security requirements and goals. Threat modeling. Design to include security and privacy concerns. System architecture (e.g., web, applications, user interfaces, programmatic interfaces, file import/export, reports, databases). Documentation. Change management (See IS-3, III). Testing, including creating test plans, reviewing test results and confirming fixes and patches. Secure deployment practices and separation of duties. Regarding code review, Units developing software that will process, store or transmit Institutional Information classified at Protection Level 3 or higher or Availability Level 3 or higher must: Last Updated: 03/12/2018 Page 4 of 10 Editor: Robert Smith

4.2 Input Validation Perform code reviews to reduce cyber risk. Consider and check for common security mistakes. Include in the review process a senior software developer and, if possible, choose an independent one. Include in the review process an IT Workforce Member with specific security experience. Use automated secure code testing/checking tools: o Perform static code analysis. o Perform dynamic code analysis. Validate user input before using the input data programmatically. Sanitize or reject invalid user input to protect against code injection attacks. Include user interface controls in the input validation strategy to make compliant and safe input easy for the user. Protect against buffer overflow attacks. Protect against array index errors. Protect against parameter manipulation attacks. Use parameterized SQL queries. Defend against SQL injection attacks. Put all SQL code/commands in server-side code. o Do not use dynamic/concatenated database queries. o Do not put SQL in client-side code. Set Autocomplete=off in HTML to prevent the caching of sensitive information. Protect against URL query string manipulation attacks. IT Workforce Members developing software must not use the following types of information in the URL/URI: Credentials. Access tokens, serial numbers or record numbers. PII (e.g., names, SSNs, driver s license numbers or dates-of-birth). PHI (e.g., a Medical Record Number, diagnosis, condition or name). 4.3 Exception and Error Handling Configure runtime environments so that they do not reveal native framework errors (e.g.,.net, J2EE) to the screen/browser. Set up custom error pages for framework errors. Handle expected errors and provide users/administrative staff enough detail in error messages to troubleshoot problems. Write code so there are no unhandled errors. Create (wrap code) last-resort error try-catch blocks. Never use empty catch blocks. Ensure catch blocks cause the application to stop running and exit in a secure state. Log detailed exception and error messages to the application event logs. Last Updated: 03/12/2018 Page 5 of 10 Editor: Robert Smith

4.4 Cross Site Scripting (XSS) and Invalidated Redirects/Forwards IT Workforce Members developing software must test untrusted data or code before sending it to a web browser. Testing must include proper validation for common XSS attacks. Note: See the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet 4.5 Insecure Direct Object References 4.6 Logging IT Workforce Members developing software must ensure that direct object references to any object, file, directory or database key include an access control check or other protection. 4.7 TLS and Secure APIs Log events related to authentication (success or failure), use of privileged functions, administration activities and system/component starts and stops. Log security-related events to a separate log file when possible. This provides developers with additional flexibility for any specific rules related to the log file (e.g., special roles/permissions, chain-of-custody, etc.). Limit information in the log details, especially if security events are comingled with other application events (e.g., do not log sensitive information). Use file naming conventions (e.g., rotation, location, etc.) so the Location, Unit SIEM service or InfoSec professional can ingest the logs. Store security related logs separately from the application when possible. Establish monitoring/logging services of log files from the Location s central security organization, Service Provider, Supplier or Unit for Institutional Information classified at Protection Level 3 or higher or Availability Level 3 or higher. Ensure sufficient storage is available to maintain logs throughout the required retention period. Force HTTPS for all browser connections. Disable HTTP. Use TLS 1.2 or later to protect machine-to-machine connections (e.g., app server to DB server connections). Use strict transport security header. Encrypt using a separate and unique credential for Institutional Information classified at Protection Level 3 or higher. Ensure that the encryption technology used is approved by the CISO. Authenticate and encrypt the session when software involves the transmission of Institutional Information classified at Protection Level 3 or higher. Encrypt APIs, restful interfaces, extract tools and service bus sessions. Authenticate APIs, restful interfaces, extract tools and service bus sessions. Last Updated: 03/12/2018 Page 6 of 10 Editor: Robert Smith

Separate public and private application APIs and configure CORS (Cross Origin Resource Sharing) headers to restrict invocation rights. Note: IT Workforce Members must not write their own encryption code because it is too easy to make critical errors. Training does not exempt IT Workforce Members from this warning. This applies to everyone: DO NOT WRITE YOUR OWN CRYPTO. The problem of encrypting data has already been solved and vetted by the security community (e.g., FIPS 140-2 validated ciphers). See references below. 4.8 Credentials/Passphrases 4.9 Session and Logout Never store user passphrases. Protect service account credentials with established tools and techniques. Never hardcode credentials. Implement lockout after 5 failed authentication attempts. Use secure protocols for credential or other secret exchanges (e.g., TLS 1.2 or later). Ensure that session timeout is implemented. Make sure session tokens are random and long (GUID long). Change (delete old and create new) tokens at each logon and each privilege escalation. Delete, remove and invalidate tokens on logout. Use TLS 1.2 or later for all session tokens and cookies. Provide a logout function. Prominently display the logout function throughout the application. Properly close records, delete temporary objects and close operations on the server: o As part of the logout process. o After a set period of inactivity (e.g., less than one hour). o After a browser window close. 4.10 Federated Authentication / SAML / Shibboleth IT Workforce Members developing software must use the Location-approved, single sign-on, SAML-based authentication or the CISO-approved method for authenticating users. They must also: Assign permissions to user groups (not individual users). Assign users to user groups. Ensure the application has a user group with no/minimal privileges assigned. Assign or default new users to the user group with no/minimal privileges and make assignment to a group explicit. Check/recheck authorization at the next logical operation (e.g., for web applications at the next page request). Log all actions that grant users or groups permissions or rights. Last Updated: 03/12/2018 Page 7 of 10 Editor: Robert Smith

4.11 File Management Prevent/disable directory traversal/directory listing. Filter web requests to block access to files with non-approved extensions (e.g.,.dll,.config,.java,.cs, etc.). For IT Resources with Availability Level 3 or higher, set a directory quota or similar control. Ensure shared volumes/file shares have appropriate access restrictions limited to the application service account. 4.12 Secure Configuration 4.13 Documentation Use secure configuration options for supporting technology, libraries, packages and tools. Perform or have performed a vulnerability scan of the entire solution and appropriately remediate findings based on risk before placing the solution into production. Secure the components used in an application. Run components with the least privilege possible. Keep components patched and up-to-date. Execute SQL with the least privilege possible. Use vetted and tested hardening guides to ensure the correct application of options and settings. Define, implement and maintain secure settings (e.g., do not rely on default settings). Secure the software configuration used in an application. Set the configuration to define which HTTPS methods (e.g., Get or Post) the application will support and whether HTTPS methods will be handled differently in different pages of the application. Set Header and Content-Security-Policy when possible. IT Workforce Members developing software with Protection Level 3 or higher or Availability Level 3 or higher must create project documentation to: Record the security features and steps taken to protect: o Confidentiality concerns. o Integrity concerns. o Availability concerns. Track defects and fixes to defects. Note/record testing processes and how testing processes manage cyber risk. List components used and the security state of the components. 4.14 Version Control IT Workforce Members developing software with Protection Level 3 or higher or Availability Level 3 or higher must: Use a software version control system or repository. Last Updated: 03/12/2018 Page 8 of 10 Editor: Robert Smith

5 References Deploy test and production applications from the version control system or repository. Tag/label versions so that they can be extracted at a later time. Configure the version control system or repository to prevent and detect unauthorized changes. Howard, M. and LeBlanc, D. (2004). Writing Secure Code 2, Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Developer Best Practices). Redmond, Washington: Microsoft Press. OWASP Top 10: https://www.owasp.org/index.php/top_10_2017-top_10 OWASP Secure Coding Guidelines: https://www.owasp.org/images/0/08/owasp_scp_quick_reference_guide_v2.pdf OWASP Web.config Encryption: https://www.owasp.org/index.php/owasp_backend_security_project_.net_security_p rogramming#web.config_encryption OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet. https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_shee t FIPS 140-2: https://csrc.nist.gov/projects/cryptographic-module-validation- Program/Standards Cryptographic Algorithm Validation Program: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices: https://csrc.nist.gov/publications/detail/sp/800-111/final Developing for accessibility: http://www.ucop.edu/electronic-accessibility/standardsand-best-practices/description-of-wcag-2.0.html 6 Standards IT Security Committee UC Minimum Security Standard IT Security Committee UC Account and Authentication Management Standard IT- Security Committee UC Logging Standard EAA-006 Federated authentication protocols (Cross-campus Applications) EAA-007 User Identification Attributes EAA-033 Password Complexity and Online Guessing Resistance Standard EAA-061 Secure Data Transfer Mechanisms EAA-065 Event Logging and Management Standard EAA-070 HTTPS Everywhere 7 UC Policy Last Updated: 03/12/2018 Page 9 of 10 Editor: Robert Smith

UC Business and Finance Bulletin IS-3 Electronic Information Security UC Business and Finance Bulletin IS-12 Continuity Planning and Disaster Recovery Last Updated: 03/12/2018 Page 10 of 10 Editor: Robert Smith

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback