Administrative Procedures Handbook
Secure Application Development Guidelines
This procedure establishes guidelines to ensure that risk associated with university applications are properly managed. This includes but is not limited to the following:
- Units are required to consult with University Technology (uTech) prior to engaging in any custom application development to assure that centralized, freely available full-time programming resources can be used in some capacity, including defining requirements, scope, architecture, security, data modeling, project management, etc.
- It is highly recommended that any major application development effort or any application development effort involving sensitive data follow the university Secure Web Application Development Standards (ECOM login required). See also: WIU’s Data Security and Handling Policy .
- Applications must work on existing infrastructure.
- The Chief Information Security Officer (CISO) reserves the right to have an application assessed prior to being made available for use. Depending on the risk to the university this may include having the application assessed by a third party at department expense.
- On request, source code and documentation will be provided to the office of the CISO or internal audit (may apply to custom code developed by a 3rd party for the university)
- Prior to installation on WIU’s production environment, major applications or applications that touch sensitive data must be tested on an uTech-managed test environment.
- Units will provide provisions for ongoing technical support of the application, whether through local programming resources, a SLA with University Technology, or a maintenance contract.
- University Technology will not be responsible for maintaining custom applications that were developed without consultation, or that were developed without an agreed upon SLA/contract.
- No programs will run at a level that bypasses security
- Custom software development requires but is not limited to the following:
- An application firewall should be in place to provide an umbrella of security for yet to be remediated applications and yet unknown (zero day) vulnerabilities.
- It is recommended that peer code reviews and walkthroughs be done.
Applications must be scanned for security vulnerabilities and remediated prior to going into production. This requirement can be met by vendors providing a detailed independent 3rd party security audit reports (security vendor must be reputable such as VeriSign, Foundstone, etc.) showing that all high level or higher security vulnerabilities have been remediated or a reasonable remediation timeline has been documented and agreed upon. Minimally, annually University Technology must conduct penetration testing of network components and applications.
Last reviewed: July 18, 2024
University Technology
Stipes Hall 126
Phone: (309) 298-TECH
E-Mail:
G-Kain@wiu.edu
Connect with us: