IT Security Standard: Web Application Development

Brief Description:

The purpose of this standard is to assist developers and administrators of campus web applications by providing guidelines and standards for use during the web application development process. For the purposes of these IT Security Standards, a web application is defined as any application that connects to a campus network and/or the Internet and that dynamically accepts user input. This process should incorporate a documented approval process, a documented change management plan, security vulnerability testing, applicable software application testing, and a revision control system.


Departments that develop, maintain, and support web applications must incorporate procedures to ensure these applications are appropriately managed and documented throughout their life-cycle.  These procedures include:

  • formal documentation and approval of a web application throughout its life-cycle from initial proposal through deployment to a production environment
  • formal change management and approval processes that include separation of duties and/or management oversight
  • formal documentation for testing procedures, including:
    • testing for security vulnerabilities
    • formal user acceptance
  • use of a version control system


This standard applies to any departments that develop and maintain web applications.



Prior to Initial Development

  1. Each department that develops a web application must implement a method for documenting the proposal, development, change management, and approval process throughout the life of that web application.  For more details on the approval process, refer to IT Security Standard: Web Application Approval Process.
  2. A formal (i.e. written) request for a web application must be made by the person or group sponsoring the application.
  3. Approval of all stakeholders is required prior to moving on to the development phase of the web application.

During the Life-cycle of the Web Application

  1. Web application software must utilize a version control system.  For more details, refer to IT Security Standard: Web Application Version Control.
  2. Web application developers must follow industry best practices to secure the web application (i.e. secure coding guidelines such as the Open Web Application Security Project (OWASP) guidelines.
  3. Web application developers must use a campus-supported authentication system such as CAS or Shibboleth for web applications that require Cal Poly user credentials for authentication (i.e. Cal Poly username/password).  (If your web application will be accessed by users external to Cal Poly, each user must have an affiliated user account.
  4. If the web application requires data from the campus Data Warehouse, the application sponsor must submit an Application Data Request Form for review and approval. 

Prior to Deployment to Production Environment

  1. Web application testing procedures must include the following:
    1. Software and user acceptance testing as noted in IT Security Standard: Web Application Software Testing.
    2. Scanning for and repairing security vulnerabilities in accordance with the IT Security Standard: Web Application Security Vulnerabilities and IT Security Standard: Vulnerability Assessment and Management.
    3. Testing for compliance with applicable laws, policies, and industry standards, including but not limited to accessibility, confidentiality, privacy, etc.
  2. Appropriate approval and sign-off must be obtained as defined by the department in accordance with IT Security Standard: Web Application Approval Process.

Deployment to Production Environment

The appropriate chain of approval signoff and separation of duties must be followed in accordance with IT Security Standard: Web Application Approval Process.


The manner in which a formal (i.e. written) web application development request is made (e-mail, Word document, ticket tracking system, etc.) is left up to the discretion of the department.  The following are intended as helpful suggestions.  The size and complexity of your web application will determine if any of the following considerations apply.

Prior to Initial Development

The formal web application development request may include:

  1. Functional specifications including the purpose of the web application and its required behavior
  2. Expected number of concurrent users under normal load
  3. Expected periods of heavy activity during the year
  4. Data required from campus repositories such as the Data Warehouse
  5. Individuals/groups who will have access to the web application (e.g. applicants, students, faculty, staff)
  6. Expectations for availability
  7. Expectations for backup and recovery

The department/resource that will develop the web application may provide an assessment of the following:

  1. Feasibility, practicality of implementation
  2. Usefulness
  3. Impact on and availability of required resources (including other individuals, groups/, departments, or systems)
  4. Cost-effective utilization of resources
  5. Commitment of sponsor to thoroughly test the web application
  6. In-Scope requirements
  7. Out-of-Scope requirements
  8. Approval of stakeholders

During the Life-cycle of the Web Application

  1. Any code changes made to the web application that are outside of the original proposal ought to be documented, reviewed, and approved according to the department’s change management process.


Web Application - For the purposes of these IT Security Standards, a web application is defined as any application that connects to a campus network and/or the Internet and that dynamically accepts user input.


Anyone who develops and/or maintains web application source code is expected to have knowledge of and exposure to the best practices as reflected in software development life-cycle methodologies.

Non-Compliance and Exceptions:

Applications may be scanned or physically examined for compliance with this standard at any time.  If a web application is found to be non-compliant and the problem is not resolved in the timeframe determined in consultation with the Information Security Office, the host device may be removed from the Cal Poly network until it does comply.  If it is technically infeasible for an information asset to meet this standard, departments must submit a request for exception to the Vice Provost/CIO and Information Security Officer for review and approval.


Effective Date: 9/30/2010
Review Frequency: Annual
Responsible Officer: Vice Provost/Chief Information Officer

Revision History

Date Action Pages
9/30/2010 Release of New Document All
9/04/2014 Reviewed and updated links All


Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips