Body
Issue/Question
What is the USD security policy for Application Software Security
Environment
Cause
Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity
Resolution
Application Software Security
Policy Statement: The University acknowledges the importance of ensuring the security of application software to protect against vulnerabilities and prevent unauthorized access to sensitive data. This policy outlines guidelines for implementing application software security measures to mitigate risks associated with software vulnerabilities and insecure coding practices.
Policy Implementation:
-
Secure Software Development Lifecycle (SDLC):
- The University will adopt a secure software development lifecycle (SDLC) approach to integrate security considerations throughout the software development process.
- Secure coding standards, guidelines, and best practices will be established and enforced to minimize the introduction of vulnerabilities during software development.
- University staff need to be trained on the secure application development practices.
-
Code Reviews and Security Testing:
- Code reviews and security testing, including static code analysis, dynamic application security testing (DAST), and penetration testing, will be conducted to identify and remediate security vulnerabilities in application software.
- Testing procedures will be integrated into the software development process to ensure that security vulnerabilities are identified and addressed before deployment.
-
Patch Management:
- The University will implement patch management procedures to ensure that application software is kept up-to-date with the latest security patches and updates.
- Critical security patches will be applied promptly to mitigate known vulnerabilities and reduce the risk of exploitation by malicious actors.
-
Secure Configuration and Design:
- Application software will be developed and maintained using OWASP best practices and CISA's Secure by Design.
- Application software will be configured securely following industry best practices and security standards to reduce the attack surface and minimize security risks.
- Default configurations will be reviewed and modified to meet the University's security requirements, including authentication settings, access controls, and encryption settings.
- Application pen testing should occur prior to applications being moved to a production state.
-
Third-Party Software Security:
- The University will conduct thorough assessments of third-party software vendors and their products to evaluate security controls, vulnerabilities, and risk exposure.
- Contracts with third-party software vendors will include provisions for security assessments, vulnerability disclosure, and incident response coordination.
- Leverage vetted modules or services for application security components
-
Custom Developed Application Security:
- The University will implement security measures to block insecure or unsigned custom applications or scripts. It will build a review process to handle exceptions.
- Custom developed applications or scripts will be required to meet the same security standards as commercial or 3rd party applications.
- Maintain separate environments for test and production systems and applications
- Use static and dynamic analysis tools to verify that secure practices are in place and do not drift
Compliance and Enforcement: Non-compliance with this policy may result in disciplinary action, including but not limited to loss of access privileges, fines, or termination of employment. All University departments and personnel involved in software development and deployment are responsible for adhering to this policy and actively participating in application software security measures.
Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of application software security practices.
This policy provides a comprehensive framework for implementing CIS Control 16 within the University environment. It provides guidelines for implementing application software security measures within the University environment, focusing on integrating security into the software development lifecycle, conducting code reviews and security testing, managing patches, configuring software securely, and assessing third-party software security to mitigate risks associated with software vulnerabilities and insecure coding practices.
Please contact the Service Desk if you need further assistance