The purpose of this standard is to define the security requirements and practices that must be followed at each phase of the life cycle.
- The Business may specify additional information security requirements over and above this standard.
- Secure application development focuses specifically on information security and does not replace existing development or testing methodologies used at UofT.
- It is intended to be used in conjunction with existing processes to ensure that security is built into all levels of the application. Development activities must be carried out in accordance with a documented system development methodology to ensure that applications under development meet both business and security requirements.
Date of Effectiveness |
To Be Determined |
Standard Owner |
Director, Information Security, Information Technology Services |
Version |
Version 0.5 |
Summary showing Section Headings
ID | Section Headings | Brief Description |
APS-GN | General | |
APS-AC | Access Control | |
APS-ER | Error Handling | |
APS-SL | Security Logging | |
APS-SM | Session Management | |
APS-AM | Administration | |
APS-DV | Development | |
APS-CP | Secure Coding Practices | |
APS-CR | Security Code Review | |
APS-TS | Testing | |
APS-IP | Implementation |
Application Security Standard Controls
Control ID | Control | Existing | Status | Public | Confidential | Restricted | Effort |
APS-GN | General | Existing | Status | Public | Confidential | Restricted | Effort |
APS-GN-01 | The information classification for application security logs and source code is Confidential and High integrity. | TRUE | Approved | Required | Required | Required | TBD |
APS-GN-02 | Development or testing must not take place in production environments | TRUE | Approved | Required | Required | Required | TBD |
APS-GN-03 | All information security requirements for a project must be identified and documented | TRUE | Approved | Required | Required | Required | TBD |
APS-GN-04 | A design review must be conducted before development begins to ensure all security requirements have been addressed and documented | TRUE | Approved | Required | Required | Required | TBD |
APS-GN-05 | Information Security and Risk Management (ISEA) consultants must be engaged early in the Planning phase of an application project. | FALSE | Proposed | Required | Required | Required | TBD |
APS-GN-06 | Additional security requirements outside this standard and an application’s approved design specifications must be reviewed and approved | FALSE | Proposed | Required | Required | Required | TBD |
APS-GN-07 | The security designed into an application must not degrade the approved security posture of any other system, application, or device | TRUE | Approved | Required | Required | Required | TBD |
APS-GN-08 | Applications must not be dependent on specific versions of supporting technologies. Any underlying supporting technology must be patchable | TRUE | Approved | Required | Required | Required | TBD |
APS-GN-09 | Applications must be designed or built so that they do not require developer support or developer access to production environments for non-emergency support activities. | TRUE | Approved | Required | Required | Required | TBD |
APC-AC | Access Control | Existing | Status | Public | Confidential | Restricted | Effort |
APS-AC-01 | All applications must be designed and implemented in accordance with the Identity and Access Management standard | TRUE | Approved | Required | Required | Required | TBD |
APS-AC-02 | All application system processes must be initiated by an ID and be capable of being traced to that ID. | TRUE | Approved | Required | Required | Required | TBD |
APS-AC-03 | Proprietary authentication methods must not be used in place of an approved ITS authentication service. | TRUE | Approved | Required | Required | Required | TBD |
APS-AC-04 | By default, only the minimum privileges required to meet the business requirements must be assigned to a subject or object | TRUE | Approved | Required | Required | Required | TBD |
APS-EH | Error Handling | Existing | Status | Public | Confidential | Restricted | Effort |
APS-EH-01 | Error handling must be used throughout the application’s code base | TRUE | Approved | Required | Required | Required | TBD |
APS-EH-02 | Errors must be logged. | TRUE | Approved | Required | Required | Required | TBD |
APS-EH-03 | User-facing error messages must not reveal details about the application that could compromise its security. Error messages must not contain:
|
TRUE | Approved | Required | Required | Required | TBD |
APS-SL | Security Logging | Existing | Status | Public | Confidential | Restricted | Effort |
APS-SL-01 | Logs must not capture or store:
|
TRUE | Approved | Required | Required | Required | TBD |
APS-SL-02 | Application logging requirements must be determined in consultation with ISEA and approved by the Director of ISEA. These requirements must consider the following:
|
TRUE | Approved | Required | Required | Required | TBD |
APS-SL-03 | For each security event recorded to a log file, the log file must contain:
The origin of the event (for example, terminal identity, IP address, hostname, program command, daemon process, user ID, etc.).
|
TRUE | Approved | Required | Required | Required | TBD |
APS-SM | Session Management | Existing | Status | Public | Confidential | Restricted | Effort |
APS-SM-01 | User session management must protect against man-in-the-middle, replay, and session hijacking attacks. | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-02 | All communication sessions must be authenticated with an approved ID. | TRUE | Approved | Recommended | Required | Required | TBD |
APS-SM-03 | A user session or message must be authenticated with a password, secure token, digital certificate, or other secret value such as a PIN. | TRUE | Approved | Recommended | Required | Required | TBD |
APS-SM-04 | Authentication and authorization information must be protected (encrypted on the client-side or stored in the server session state store). | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-05 | User sessions must be cleared when the session is over. Browser caches and cookies must be deleted upon logout if they contain session management information. | TRUE | Approved | Recommended | Required | Required | TBD |
APS-SM-06 | Session state identifiers must be maintained on the server. Unprotected session information must not be maintained on the client using hidden form fields, URL passed parameters, or other unprotected client side values. | TRUE | Approved | Recommended | Required | Required | TBD |
APS-SM-07 | Security decisions must not be based on client provided values that can be modified such as HTTP headers or the HTTP Referrer value | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-08 | Cookies used to store session information, authentication, and authorization data must be encrypted. | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-09 | Custom cryptographic routines must not be used or developed for use. Crypto-APIs (application programming interfaces) within UofT approved technologies must be used | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-10 | User credentials and session identifiers must be encrypted during transmission at the session layer (e.g., TLSv1.2). | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-11 | By default, application settings must be coded to not remember session data. | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-12 | Users must be provided with a session logout option that will erase or overwrite session data. | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-13 | Internet-facing user sessions must expire after no more than 15 minutes of inactivity (10m min recommended). Non-Internet-facing application session timeout requirements must be determined based upon a documented risk assessment. | FALSE | Proposed | Required | Required | Required | TBD |
APS-SM-14 | Internet-facing applications must not permit multiple concurrent user sessions with the same user ID. | TRUE | Approved | Required | Required | Required | TBD |
APS-SM-15 | All output must only be presented to authorized users who have a need to know. | TRUE | Approved | Required | Required | Required | TBD |
APS-AM | Administration | Existing | Status | Public | Confidential | Restricted | Effort |
APS-AM-01 | Passwords must not be hard-coded into the application code. | TRUE | Approved | Required | Required | Required | TBD |
APS-AM-02 | Segregation of duties for distinct administrative functions must be developed into the application. For example, privilege management functions (add/remove users) must be separated from system configuration functions | TRUE | Approved | Required | Required | Required | TBD |
APS-AM-04 | Configuration data must be protected by access control. | TRUE | Approved | Required | Required | Required | TBD |
APS-AM-05 | Configuration data must not be stored within the application’s web accessible directory | TRUE | Approved | Required | Required | Required | TBD |
APS-DV | Development | Existing | Status | Public | Confidential | Restricted | Effort |
APS-DV-01 | Source code must reside in a code repository protected by an access control mechanism | TRUE | Approved | Required | Required | Required | TBD |
APS-DV-02 | Write access to the code repository must only be given to those with a need to change source code | TRUE | Approved | Required | Required | Required | TBD |
APS-DV-03 | All code changes must be tracked using a source code version management system. | TRUE | Approved | Required | Required | Required | TBD |
APS-DV-04 | Promotion of code to production and UAT environments must not be done by anyone who has authored any part of the code | TRUE | Approved | Required | Required | Required | TBD |
APS-CP | Secure Coding Practices | Existing | Status | Public | Confidential | Restricted | Effort |
APS-CP-01 | Secure coding practices appropriate to the technologies being used must be followed to protect against known coding flaws. These include: Protecting Against Buffer Overflow Conditions
|
TRUE | Approved | Required | Required | Required | TBD |
APS-CR | Security Code Review | Existing | Status | Public | Confidential | Restricted | Effort |
APS-CR-01 | A formal process must be followed to ensure that appropriate code is selected and reviewed based on risk to ensure secure coding practices have been followed. Documentation of decisions must be maintained. | TRUE | Approved | Required | Required | Required | TBD |
APS-CR-02 | Code reviews must be conducted by a qualified individual who has not authored any part of the code. | TRUE | Approved | Required | Required | Required | TBD |
APS-CR-03 | Internet-facing application code must be reviewed by an independent internal party or external third party. | TRUE | Approved | Required | Required | Required | TBD |
APS-TS | Testing | Existing | Status | Public | Confidential | Restricted | Effort |
APS-TS-01 | Developers must not use write access in User Acceptance Testing (UAT) environments while user acceptance testing is being conducted | TRUE | Approved | Required | Required | Required | TBD |
APS-TS-02 | The criteria for information security testing must include all the security requirements identified during the Planning phase | TRUE | Approved | Required | Required | Required | TBD |
APS-TS-03 | Test results must validate all UofT security standard requirements prior to the application entering a production environment. | TRUE | Approved | Required | Required | Required | TBD |
APS-TS-04 | Additional approved security requirements that are not validated in testing must undergo a risk assessment | TRUE | Approved | Required | Required | Required | TBD |
APS-IP | Implementation | Existing | Status | Public | Confidential | Restricted | Effort |
APS-IP-01 | Code must be promoted from a source code repository. | Proposed | Required | Required | Required | TBD | |
APS-IP-02 | Code must be promoted to production using methods which protect the integrity of the code (e.g., use of cryptographic hashes or file integrity checkers such as Tripwire). | TRUE | Approved | Required | Required | Required | TBD |
APS-IP-03 | The application code and its supporting files must be promoted so that no developer support is required during installation into the production environment. | TRUE | Approved | Required | Required | Required | TBD |
APS-IP-04 | Segregation of duties must be implemented when delegating administrative functions in a production environment. For example, privilege management functions (add/remove users) must be delegated to personnel separate from system configuration administrators. | TRUE | Approved | Required | Required | Required | TBD |
APS-IP-05 | User accounts must be provisioned in accordance with the principle of least privilege. | TRUE | Approved | Required | Required | Required | TBD |
APS-IP-06 | Logging, debugging, and tracing levels must be set to the level determined for production | TRUE | Approved | Required | Required | Required | TBD |