Web Application Development and Security

Objective: 

This Policy defines requirements for Web application development and security for all SF State Web applications deployed on or off-campus.

Statement: 

Purpose and Scope

This Policy defines requirements for Web application development and security for all San Francisco State Web applications deployed on or off-campus. This applies to any Web-based technology purchased, obtained at no cost or developed in-house.

Policy

It is the responsibility of unit managers to follow Web application development and security standard policies. This Policy focuses on Web application development standards and is intended to complement the patch management, server management and change management policies that must also be followed.

For the purpose of this Policy, sensitive data is defined as information that is not intended to be public, including data classified by the California State University (CSU) as Levels 1 and 2.

Encryption

• Valid Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates must be used for all sensitive information in transit between the client, server and other servers
• Production services that use TLS/SSL certificates must obtain them from a recognized Certificate Authority (CA)
• Applications using cryptography must use industry standard algorithms and implementations

Authentication and Authorization

• Shibboleth should be used to authenticate users from SF State and other InCommon Federation members
• If Shibboleth cannot be used to authenticate users from SF State, then SF State Active Directory (LDAP) must be used
• Web applications that process sensitive data must verify authorization for each request

Data Validation

• Web applications must validate all data for expected values
• Web applications must use server-side validation
• Web applications that use data from another source must take steps to ensure the external data is trustworthy
• Web forms and interactive elements must use a secure token to verify the user intentionally initiated the request
• Web applications must validate all data that is passed to interpreters, including Web browsers, database systems and command shells
• Web applications must only send data and code to the browser that the user is authorized to see or use

Session Management

• Web applications must set the 'secure' flag for cookies that contain sensitive data to ensure they are only sent over secure connections
• Web applications must keep session times to the minimum duration necessary for operation
• Web applications must have server-based disconnects
• Web applications must use a secure session key/token to avoid sending 'hidden data' to the browser

Related Policies

• Patch Management
• Change Control
• Application Development
• Administrative Account Access Control

References

• Data Classification Levels (Asset Management ISO Domain 8 Standard)
• Open Web Application Security Project (OWASP) Top 10
• Open Web Application Security Project (OWASP) Development Guide