IT Security Standard: Web Applications - Security Vulnerabilities
Brief Description:
The purpose of this standard is to provide guidelines and documentation for reviewing web applications for security vulnerabilities prior to deployment.
Related Policy:
- CSU Information Security Policy - ISO Domain 14: System Acquisition, Development and Maintenance
- IT Security Standard: Vulnerability Assessment and Management
Introduction:
Web applications are susceptible to attacks that may result in exposure or modification of sensitive data, or impact on the availability of services to authorized users. Application testing is conducted to identify security flaws introduced in the design, implementation, or deployment of an application. Developers and application administrators must identify functions that are critical to security, and test those functions to verify correct operation.
Scope:
This standard applies to any department implementing and maintaining web applications locally developed and configured.
Standard:
Required:
- Web applications must be reviewed and tested for security vulnerabilities. Applications that store, process or provide access to Level 1 or Level 2 information must be tested to an appropriate level of detail based on assessed risk. For definitions of risk levels to be taken under consideration, see the Related Procedures and Resources section below.
- Vulnerability assessment must be coordinated with and approved by authorized individuals.
- All security flaws must be entered into a defect tracking system (e.g., Snyk Exception), clearly identified as a security defect, and categorized according to severity. This information must be protected appropriately, prioritized, and fixed before the application is released (or compensating controls in place). Flaws discovered in applications already released must be assessed to determine whether there is a low/medium/high level of exposure due to the following factors:
- The likelihood that the security flaw would be exposed
- The impact on information security, integrity, and application availability
- The level of access that would be required to exploit the security flaw
- Emergency procedures for addressing security flaws must be defined and documented prior to production deployment.
- Applications restricted to on-campus (hosted-on premise) will only be accessed via VPN (no firewall pinholes).
- Applications that must be available globally should be hosted in the cloud (e.g., AWS, Azure...), requiring single sign-on, utilizing multi-factor authentication, and protected with a Web Application Firewall.
Recommended:
- Web software applications should be developed per secure coding guidelines such as the Open Web Application Security Project (OWASP) guidelines.
- Peer-review code with at least one other technically trained individual.
- Validate all data received via the HTTP Request. Not validating data can result in attacks such as Cross-Site Scripting, SQL Injection, HTTP Response Splitting, Log Injection, and Directory Traversal.
- Validate the data on the server-side. All data (even hidden fields and data from pull-down lists) are subject to being modified by a malicious user and should be validated server-side.
- Pass session IDs and cookies via SSL (HTTPS). Hackers can intercept unprotected session IDs and cookies and use them to compromise the user’s session (session hijacking), and the security of your system.
- Vulnerability scans should be performed before moving the application to production or whenever there are changes to the application.
- Review the OWASP guidelines. Identify those potential vulnerabilities that may apply to your web application. Review your code and test your application to ensure that your application is not vulnerable. (See the Related Procedures and Resources section below for the link to more detailed information about these software vulnerabilities.)
Definitions:
Web Application - For the purposes of these IT Security Standards, a web application is defined as any application that connects to a campus network and/or the Internet and dynamically accepts user input.
Responsibilities:
Anyone who develops and/or maintains web application source code is expected to have knowledge of and exposure to security standards and best practices.
Non-Compliance and Exceptions:
Applications may be scanned or physically examined for compliance with this standard at any time. If a web application is found to be non-compliant and the problem is not resolved in the timeframe determined in consultation with the Information Security Office, the host device may be removed from the Cal Poly network until it does comply. If it is technically infeasible for an information asset to meet this standard, departments must submit a request for an exception (visit the Information Security Resources Wiki).
Related Procedures and Resources:
Campus Standards and Practices
- IT / Information Security Exception Request Process
- Vulnerability Assessment and Management Standard
- Information Asset Risk Level Definition
Static Analysis Tools
Static code analysis is the analysis of computer software that is performed without actually executing programs built from that software. Static Analysis Tools should:
- Support the programming languages required
- Scan and report vulnerabilities with a minimum of false positives and false negatives
- Support a centralized security policy management so all scans use established policies
- Scan for malicious code detection
- Support the use of an underlying DBMS to collect, report, export and analyze scan results
- Provide remediation for vulnerabilities found
- Provide measurement metrics for long term trending of applications
- Enable collaboration between security teams and development and QA
- Provide customization capabilities to accommodate unique coding styles
- Correlate dynamic testing to assist in the prioritization of static results
Web Application Vulnerability Scanners
Web application scanners allow testers and application developers the ability to scan web applications in a fully operational environment and check for many known security vulnerabilities. Web application scanners parse URLs from the target website to find vulnerabilities. These scanners check web applications for common security problems such as SQL injection, cross-site scripting, command injection, buffer overflow, session management, and other vulnerabilities. These tools can be used to satisfy code review requirements based on the security checks provided by the tool. Web application scanners should be used on each web application release prior to deployment to a production environment.
Campus Provided Tools:
- BurpSuite
- Snyk
- Signal Sciences Web Application Firewall
Implementation:
Effective Date: | 9/30/2010 |
---|---|
Review Frequency: | Annual |
Responsible Officer: | Vice President/Chief Information Officer |
Revision History
Date | Action | Pages |
---|---|---|
9/30/2010 | Release of New Document | All |
9/05/2014 |
Reviewed and updated links. Removed free and commercial tools, and utilities section. Added campus tools section. Removed website links no longer relevant. Added: vulnerability scans recommended before moving app to prod. |
All |
10/20/2020 | Reviewed and updated tools/MFA/WAF. Links updated. | All |