Addressing security early in the software development life cycle is easier and less expensive than correcting issues found in late-stage testing or after an application has been released to production. The following best practices are an essential part of secure application coding and hosting.
- Ensure applications validate input (network, keyboard, file, database) properly and restrictively, allowing only those types of input that are known to be correct, especially from untrusted sources.
- Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system.
Authentication and Authorization
- Authenticate and authorize users through central systems available at the university, specifically: Kerberos, Active Directory, Shibboleth, MCommunity groups.
- Never implement your own authentication system.
- Implement two-factor authentication where possible.
- Base access decisions for both developers and users on permission rather than exclusion, and adhere to the principle of least privilege.
- Wherever feasible, provide access to applications based on role, affiliation, or membership, rather than by individual.
- Ensure your code uses only privileges that are needed, dropping any elevated privileges as soon as possible.
- Use well-known, properly reviewed, actively maintained cryptography libraries.
- Encrypt external transmission for applications or software that maintain, process, transmit, or store sensitive data.
- If possible, use encryption for sensitive data at rest.
- Implement the use of application logs to the extent practicable.
- Log access by all users, including time of access, according to retention schedule in Security Log Collection, Analysis, and Retention (DS-19).
Quality Assurance Checking
- Use effective quality assurance techniques (for example, penetration testing, source code audits, application scanning) to identify and eliminate vulnerabilities.
- Conduct application scanning before major changes or revisions are moved to production.
- Implement and maintain a change management process, including version control, for changes to existing software applications.
- Comment your code well, and document all design decisions.
- Keep software and components (libraries, modules, dependencies) you use patched for known security vulnerabilities.
- Have a mechanism for updating all of your code's dependencies regularly.
- Use automated testing to ensure that the updates do not break your code's functionality.
- Follow vulnerability management guidance to comply with Vulnerability Management (DS-21).
- Do not allow session tokens to be sent over HTTP (use HTTPS).
- Do not create your own session token generation code.
- Prevent session fixation attacks by creating a new token upon user login.
- Keep session IDs out of URLs.
For resources and links to training to help you learn to implement these best practices, see Secure Coding: Guidance and Training Resources.