ÁÔÆæÖØ¿Ú

UM Web Application Security Standard

UM Information Security Office - Area: Information Security Policy

Document History

Approvals

Introduction

Common methods for accessing University Data include Web Applications. These computer software programs can be particularly susceptible to malicious attacks due to their public visibility and accessibility. This can result in the exposure or modification of University Data. To mitigate these risks, UM System individuals responsible for creating, developing, updating, maintaining, or administering UM Web Applications are required to implement appropriate classification and security procedures in accordance with the UM Information Security Policy and this Standard.

Roles and Responsibilities

Applicability

This Standard applies to all UM System individuals and other users of University Data wherever located, including all third-party individuals or entities granted access to University Data. Additionally, this Standard establishes and outlines requirements that apply to University Web Applications (including those that are designed for use on mobile devices) that:

• Are hosted on UM-managed networks or hardware;
• Are institute and other sites operated under the auspices of UM System employees or third-party vendors or providers;
• Function at the umt.edu, umontana.edu, mtech.edu, umwestern.edu, or helenacollege.edu top level domain (“TLD”); or
• Use or incorporate the UM System’s trademarks, service marks, or logos.

Information Security Program

The Chief Information Security Officer (CISO) oversees and directs a comprehensive Information Security Program to protect and preserve the availability, confidentiality, and integrity of UM Data. The program supports the UM System’s compliance with all applicable statutory, regulatory, policy, and contractual guidance or requirements, and is shaped by industry best practices. All UM System units and personnel who administer, maintain, create, or develop Web Applications are responsible for implementing the appropriate Web Application classification and security procedures as outlined in this Web Application Security Standard described below.

Additional Roles and Responsibilities

The CISO shall serve as the UM System’s primary enforcement officer for the purposes of this Standard.

At the direction of the CISO, the Information Security Office provides services such as Web Application assessments and scanning, incident response, and guidance for complying with Information Security controls.

System administrators shall coordinate with the Information Security Office to perform security testing and scanning and collaborate with Web Application developers to apply Web Application protections in accordance with criticality ratings as appropriate.

Web developers shall coordinate with the Information Security Office to perform security testing and scanning and collaborate with business units to establish an inventory and criticality ratings for Web Applications as appropriate.

STANDARD

Inventory

Web developers and responsible business units must maintain a current inventory of Web Applications. The inventory should include Web Application descriptions, authentication mechanisms, data types and data classification, availability rating, overall criticality rating, and address and/or URL.

Criticality Classification is performed initially by web developers in coordination with the business unit responsible for the web application. An initial evaluation based on Data Classification and availability requirements will result in an overall criticality rating for the Web Application. The following criticality table represents the model to follow:

Availability ratings are a business-based classification determined by the importance of an application’s position in business continuity. “Tier 1 – mission critical” Web Applications represent core functions that if unavailable would result in the University being unable to conduct business (e.g., enterprise learning systems, payroll systems, student administration systems, and authentication systems that support other systems). “Tier 1 – mission critical” Web Applications additionally represent those applications that handle Confidential.

Secure Web Development

Use of secure development guidelines (e.g., the Open Web Application Security Project also known as “OWASP”) is essential to a secure Software Development Life Cycle (“SDLC”). Consider the following principles during application threat modeling and secure application development.

• Defense in depth
• Use a positive security model
• Fail securely
• Run with least privilege
• Open design
• Keep security simple
• Detect intrusions
• Do not trust infrastructure
• Do not trust services
• Establish secure defaults
• Do not trust third-party source code

Authentication and Authorization

Ensuring appropriate access to Web Applications is a critical security component. Authentication and authorization help ensure the right user or client has access to the right resource at the right time.

Authentication

Authentication is a process that ensures and confirms a user’s identity by matching provided credentials with those stored in a system of record. Web applications must properly authenticate users through UM System supported central authentication systems. If supported authentication systems cannot be used, an exception request must be made that details why the application cannot use existing systems.

Authorization

Authorization is a mechanism used to determine user privileges or access levels related to system resources. Use central authorization and group membership sources where possible, as opposed to groups that only exist within the application. This allows user access across the enterprise to be discovered and managed outside of the specific application. Document clear rules and processes for vetting and approving authorizations. At least annually, review and promptly remove all authorizations for individuals who have left the University, transferred to another department, or assumed new job duties within the department.

Security Testing

All web applications should undergo security testing. Testing should be based on the criticality ratings and may include automated and/or manual forms of assessment. A Web Application’s developer has primary responsibility for the security of the application, including timely response to reasonably suspected or reported security issues and testing results. As a guide, the Open Web Application Security Project, OWASP, Top Ten Web Application Vulnerabilities may be used as a foundation for security testing. Vulnerabilities found during security testing must be documented in the system of record and assigned to the appropriate web developer. Remediation steps, and follow-up testing results, will be documented and, when necessary, attached to an associated change management record.

Security Testing Schedule

Security testing should occur during different phases of the Software Development Lifecycle and then in an ongoing fashion throughout the life of a Web Application, including:

• Before the production launch of a new High or Very High criticality Web Application
• Before a significant change to a High or Very High criticality production Web Application
• As directed by an information security review or upon request from the Chief Information Security Officer, Information Security Office, or developers of a Web Application
• When there are active threats, security events, or security incidents

Continuous monitoring and testing of publicly accessible Web Applications by a third party may be performed in lieu of University staff – this provides an opportunity for more frequent assessments on a set of applications “open to the world” and therefore potentially more vulnerable to attack. Results of vulnerable applications should be provided to the Information Security Office for evaluation and analysis. Following this evaluation and analysis, additional testing and manual assessments of a Web Application may occur where additional rigor and verification is needed. Additionally, penetration testing and manual assessments of a Web Application may be conducted following a third-party report, peer institution information sharing, logged attacks, or other indicators of heightened risk or threat such as, but not limited to, those identified from Web Application firewall logging and monitoring.

If a Web Application is hosted by a third-party provider and/or not hosted on UM’s network, automated or manual tests should be performed by the vendor or the vendor’s third-party assessor on an appropriate recurring schedule with results provided to the Information Security Office.

Exceptions Review

It may be necessary to postpone a scheduled scan or security test. If security testing cannot follow the set schedule, an exception request must be made that details why postponement or deferral is necessary. The CISO (or their designee) will promptly act on all exception request approvals. Exceptions may include:

• Production system freeze or semester start-up periods
• Conflicts with other critical changes scheduled during the same period
• Security testing is believed to break functionality or cause excessive system load
• Systems, applications, or devices where appropriate risk-mitigation controls are put in place, documented and validated
• Resources are unavailable to perform penetration testing and manual assessments

In all cases of exception requests, the implementation of Web Application firewall should be considered as a mitigating control to potential threats

Training

In addition to UM’s Information Security Awareness Training and IT staff training requirements, web developers should pursue or receive web development and secure coding training to ensure a baseline set of skills and knowledge for securing Web Applications. This training should include annual review of the OWASP guidelines and taking part in peer code reviews.

Procedures

The UM Information Security Advisory Council will review and, if necessary, revise the UM Web Application Security Standard annually.

References

• BOR 1300.1 Security of Data and Information Technology Resources
• UM Information Security Policy
• UM Data Governance Policy
• UM Data Classification and Stewardship Standard
• UM Data Security Standard
• Open Web Application Security Project (OWASP)