Security weaknesses in applications can leave sensitive U-M data vulnerable to attack. This puts the university at risk for reputational, financial, and legal damage, and creates potential risks for members of the U-M community whose personal data could be exposed.
To reduce this risk, you are expected to take appropriate action to secure university applications, including:
- Review existing apps for security.
- Build security in from the start for new apps.
- Secure systems that host apps.
Know Your Responsibilities
All persons who develop, maintain, or host applications that process university data classified as Restricted, High, or Moderate are required to ensure those applications follow secure coding, hosting, and administrative best practices in accordance with Secure Coding and Application Security (DS-18).
Follow Best Practices for Secure Coding, Testing, and Hosting
Addressing security early in the software development life cycle is easier, less expensive, and less risky than correcting issues found in late-stage testing or after an application has been released to production. Information Assurance (IA) has compiled lists of best practices and resources to help you prevent application security problems from the start.
- Best Practices for Secure Coding. A list of essential best practices for secure application coding and hosting.
- Secure Coding: Guidance and Training Resources. IA-recommended resources for information and learning about secure application coding and hosting.
- U-M App Security Testing Services. IA recommends that, in addition to following best practices in coding and hosting applications, you use one of the testing resources available at U-M to help you check for application security.
Applicable University Policies
You are responsible for complying with the policies and standards below. The information above can help you meet that responsibility.
- Information Security (SPG 601.27)
- Institutional Data Resource Management Policy (SPG 601.12)
- Secure Coding and Application Security (DS-18)
- Security Log Collection, Analysis, and Retention (DS-19)
- Access, Authorization, and Authentication Management (DS-22)
- Security of Enterprise Application Integration (DS-09)
- Vulnerability Management (DS-21)