Web Application Development and Security

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Friday, October 1, 2010

Authority: 


Objective: 

This Practice Directive defines requirements for Web application development and security for all SF State Web applications deployed on or off-campus.


Statement: 

Purpose and Scope

This Practice Directive defines requirements for Web application development and security for all San Francisco State Web applications deployed on or off-campus. This applies to any Web-based technology purchased, obtained at no cost or developed in-house.

Practice Directive

It is the responsibility of unit managers to follow Web application development and security standard policies. This Practice Directive focuses on Web application development standards and is intended to complement the patch management, server management and change management policies that must also be followed.

For the purpose of this Practice Directive, sensitive data is defined as information that is not intended to be public, including data classified by the California State University (CSU) as Levels 1 and 2.

Encryption

  • Valid Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates must be used for all sensitive information in transit between the client, server and other servers
  • Production services that use TLS/SSL certificates must obtain them from a recognized Certificate Authority (CA)
  • Applications using cryptography must use industry standard algorithms and implementations

Authentication and Authorization

  • Shibboleth should be used to authenticate users from SF State and other InCommon Federation members
  • If Shibboleth cannot be used to authenticate users from SF State, then SF State Active Directory (LDAP) must be used
  • Web applications that process sensitive data must verify authorization for each request

Data Validation

  • Web applications must validate all data for expected values
  • Web applications must use server-side validation
  • Web applications that use data from another source must take steps to ensure the external data is trustworthy
  • Web forms and interactive elements must use a secure token to verify the user intentionally initiated the request
  • Web applications must validate all data that is passed to interpreters, including Web browsers, database systems and command shells
  • Web applications must only send data and code to the browser that the user is authorized to see or use

Session Management

  • Web applications must set the 'secure' flag for cookies that contain sensitive data to ensure they are only sent over secure connections
  • Web applications must keep session times to the minimum duration necessary for operation
  • Web applications must have server-based disconnects
  • Web applications must use a secure session key/token to avoid sending 'hidden data' to the browser

Related Practice Directives

References