Division:
Administration & Finance
Department:
Information Technology Services
Contact Information:
Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu
Effective Date:
Friday, October 1, 2010
Authority:
Objective:
This Policy defines requirements for Web application development and security for all SF State Web applications deployed on or off-campus.
Statement:
Purpose and Scope
This Policy defines requirements for Web application development and security for all San Francisco State Web applications deployed on or off-campus. This applies to any Web-based technology purchased, obtained at no cost or developed in-house.
Policy
It is the responsibility of unit managers to follow Web application development and security standard policies. This Policy focuses on Web application development standards and is intended to complement the patch management, server management and change management policies that must also be followed.
For the purpose of this Policy, sensitive data is defined as information that is not intended to be public, including data classified by the California State University (CSU) as Levels 1 and 2.
Encryption
- Valid Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates must be used for all sensitive information in transit between the client, server and other servers
- Production services that use TLS/SSL certificates must obtain them from a recognized Certificate Authority (CA)
- Applications using cryptography must use industry standard algorithms and implementations
Authentication and Authorization
- Shibboleth should be used to authenticate users from SF State and other InCommon Federation members
- If Shibboleth cannot be used to authenticate users from SF State, then SF State Active Directory (LDAP) must be used
- Web applications that process sensitive data must verify authorization for each request
Data Validation
- Web applications must validate all data for expected values
- Web applications must use server-side validation
- Web applications that use data from another source must take steps to ensure the external data is trustworthy
- Web forms and interactive elements must use a secure token to verify the user intentionally initiated the request
- Web applications must validate all data that is passed to interpreters, including Web browsers, database systems and command shells
- Web applications must only send data and code to the browser that the user is authorized to see or use
Session Management
- Web applications must set the 'secure' flag for cookies that contain sensitive data to ensure they are only sent over secure connections
- Web applications must keep session times to the minimum duration necessary for operation
- Web applications must have server-based disconnects
- Web applications must use a secure session key/token to avoid sending 'hidden data' to the browser
Related Policies
References
- Data Classification Levels (Asset Management ISO Domain 8 Standard)
- Open Web Application Security Project (OWASP) Top 10
- Open Web Application Security Project (OWASP) Development Guide