Standard and Process
See the specific requirements in the Software Development Standard in the University's Policy Library. The following supplements the requirements in University policy.
The software consists of instructions and code that use programming languages in the application (e.g., end-user application, script to automate a production task).
Software development should use industry best standards and include security controls in all phases of the software development life cycle (SDLC).
Requirements Analysis Phase
In this phase, use the SDLC process for the unit to document the security requirements for the software. This includes documenting the types of data that will be stored or processed by the software.
Design the software to include applicable security controls. Security controls include and are not limited to:
- access to the data and the software;
- account management;
- application and/or transaction logs;
The design phase includes planning for decommissioning of the software and the environment after completion of each phase in the SDLC process, including software obsolescence.
Protect the development environment. Security controls include and are not limited to:
- using actively supported code where the vendor or open source community continues to identify and remediate security vulnerabilities;
- implementing security controls and functionality;
- using industry-standard secure coding procedures;
- maintaining segregation from the production environment.
Securely remove the development environment and data when no longer needed.
Testing and Quality Assurance Phase
Use a non-production environment for testing. Test to ensure that the security requirements are included in the software.
Develop a testing and quality assurance plan to document the scope, approach, resources, and schedule for testing. The test plan should include, but is not limited to:
- identifying tests to ensure that the security and functional requirements are met;
- identifying individuals other than the developer for testing;
- identifying users or their use cases for testing; and
- documenting the test results.
Code review helps identify potential coding vulnerabilities. Code review should include at least the following:
- review by individuals other than the originating code author, or use automated software;
- assess code to meet secure coding guidelines and best practices;
- implement corrections prior to code release; and
- review and approval of code-review results by management prior to code release.
PCI DSS has specific requirements for code review.
Securely remove the testing and quality assurance environment and data when no longer needed.
The production environment should not contain development/test code and data, including test accounts.
Need to meet security requirements prior to deploying into production.
After deployment, review the need for a non-production environment and take steps to securely remove the software and data in the non-production environment.
After the deployment phase, continuous maintenance of the software and protection of the data in both the production and non-production environments is required.
Monitor mailing lists for vulnerabilities and bugs in software or code dependencies.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002:2013.
- Technology Portfolio
- OWASP - Secure Coding Guidelines
- SANS- Securing Web Application Technologies Checklist (SWAT)
- NIST SP 800-53 Revision 4
- SA-03 System Development Life Cycle
- SA-08 Security Engineering Principles
- SI-11 Error Handling
- Payment Card Industry Data Security Requirements (PCI DSS)