Standard and Process

See the specific requirements in the Software Development Standard in the University's Policy Library. The following supplements the requirements in University policy.

The software consists of instructions and code that use programming languages in the application (e.g., end-user application, script to automate a production task).

Software development should use industry best standards and include security controls in all phases of the software development life cycle (SDLC).

Requirements Analysis Phase

In this phase, use the SDLC process for the unit to document the security requirements for the software. This includes documenting the types of data that will be stored or processed by the software.

Design Phase

Design the software to include applicable security controls. Security controls include and are not limited to:

  • authentication;
  • access to the data and the software;
  • account management;
  • application and/or transaction logs;
  • encryption.

The design phase includes planning for decommissioning of the software and the environment after completion of each phase in the SDLC process, including software obsolescence.

Development Phase

Protect the development environment. Security controls include and are not limited to:

  • using actively supported code where the vendor or open source community continues to identify and remediate security vulnerabilities;
  • implementing security controls and functionality;
  • using industry-standard secure coding procedures;
  • maintaining segregation from the production environment.

Securely remove the development environment and data when no longer needed.

Testing and Quality Assurance Phase

Use a non-production environment for testing. Test to ensure that the security requirements are included in the software.

Develop a testing and quality assurance plan to document the scope, approach, resources, and schedule for testing. The test plan should include, but is not limited to:

  • identifying tests to ensure that the security and functional requirements are met;
  • identifying individuals other than the developer for testing;
  • identifying users or their use cases for testing; and
  • documenting the test results.

Code review helps identify potential coding vulnerabilities. Code review should include at least the following:

  • review by individuals other than the originating code author, or use automated software;
  • assess code to meet secure coding guidelines and best practices;
  • implement corrections prior to code release; and
  • review and approval of code-review results by management prior to code release.

PCI DSS has specific requirements for code review.

Securely remove the testing and quality assurance environment and data when no longer needed.

Deployment Phase

The production environment should not contain development/test code and data, including test accounts.

Need to meet security requirements prior to deploying into production.

After deployment, review the need for a non-production environment and take steps to securely remove the software and data in the non-production environment.

Maintenance Phase

After the deployment phase, continuous maintenance of the software and protection of the data in both the production and non-production environments is required.

Monitor mailing lists for vulnerabilities and bugs in software or code dependencies.

See the Information Security policy appendices for additional information security standards that also apply.

More Information

Document Management

Document Responsibility and History
Document Owner Document Approvers Effective Date Last Reviewed Date
University Information Security

Brian Dahlin,
Chief Information Security Officer

Bernard Gulachek,
VP of Information Technology and Chief Information Officer

May 2019 May 2019