The purpose of this standard is to define the security requirements and practices that must be followed at each phase of the life cycle.

  • The Business may specify additional information security requirements over and above this standard.
  • Secure application development focuses specifically on information security and does not replace existing development or testing methodologies used at UofT.
  • It is intended to be used in conjunction with existing processes to ensure that security is built into all levels of the application. Development activities must be carried out in accordance with a documented system development methodology to ensure that applications under development meet both business and security requirements.

Date of Effectiveness
To Be Determined

Standard Owner
Director, Information Security, Information Technology Services

Version
Version 0.5

Summary showing Section Headings

ID Section Headings Brief Description
APS-GN General
APS-AC Access Control
APS-ER Error Handling
APS-SL Security Logging
APS-SM Session Management
APS-AM Administration
APS-DV Development
APS-CP Secure Coding Practices
APS-CR Security Code Review
APS-TS Testing
APS-IP Implementation

Application Security Standard Controls

Control ID Control Existing Status Public Confidential Restricted Effort
APS-GN General Existing Status Public Confidential Restricted Effort
APS-GN-01 The information classification for application security logs and source code is Confidential and High integrity. TRUE Approved Required Required Required TBD
APS-GN-02 Development or testing must not take place in production environments TRUE Approved Required Required Required TBD
APS-GN-03 All information security requirements for a project must be identified and documented TRUE Approved Required Required Required TBD
APS-GN-04 A design review must be conducted before development begins to ensure all security requirements have been addressed and documented TRUE Approved Required Required Required TBD
APS-GN-05 Information Security and Risk Management (ISEA) consultants must be engaged early in the Planning phase of an application project. FALSE Proposed Required Required Required TBD
APS-GN-06 Additional security requirements outside this standard and an application’s approved design specifications must be reviewed and approved FALSE Proposed Required Required Required TBD
APS-GN-07 The security designed into an application must not degrade the approved security posture of any other system, application, or device TRUE Approved Required Required Required TBD
APS-GN-08 Applications must not be dependent on specific versions of supporting technologies. Any underlying supporting technology must be patchable TRUE Approved Required Required Required TBD
APS-GN-09 Applications must be designed or built so that they do not require developer support or developer access to production environments for non-emergency support activities. TRUE Approved Required Required Required TBD
APC-AC Access Control Existing Status Public Confidential Restricted Effort
APS-AC-01 All applications must be designed and implemented in accordance with the Identity and Access Management standard TRUE Approved Required Required Required TBD
APS-AC-02 All application system processes must be initiated by an ID and be capable of being traced to that ID. TRUE Approved Required Required Required TBD
APS-AC-03 Proprietary authentication methods must not be used in place of an approved ITS authentication service. TRUE Approved Required Required Required TBD
APS-AC-04 By default, only the minimum privileges required to meet the business requirements must be assigned to a subject or object TRUE Approved Required Required Required TBD
APS-EH Error Handling Existing Status Public Confidential Restricted Effort
APS-EH-01 Error handling must be used throughout the application’s code base TRUE Approved Required Required Required TBD
APS-EH-02 Errors must be logged. TRUE Approved Required Required Required TBD
APS-EH-03 User-facing error messages must not reveal details about the application that could compromise its security. Error messages must not contain:

  • Application source code or variable names.
  • The operating system (OS) name, version, or patch level of the application or any supporting technology.
  • Detailed reasons for failed authentication
 TRUE Approved Required Required Required TBD
APS-SL Security Logging Existing Status Public Confidential Restricted Effort
APS-SL-01 Logs must not capture or store:

  • Plaintext passwords.
  • Plaintext PINs.
  • Restricted business information contained within the application.
  • Personal information
 TRUE Approved Required Required Required TBD
APS-SL-02 Application logging requirements must be determined in consultation with ISEA and approved by the Director of ISEA. These requirements must consider the following:

  • User logon success / failure.
  • User password reset.
  • User account lockout.
  • User logoff.
  • Privileged information access events to Confidential or Restricted data including Read, Write, and Delete access.
  • Add user ID.
  • Assign / remove privileges.
  • Reset another user’s password.
  • Delete user.
  • Lock / unlock user account.
  • Application system start / stop.
  • Application system configuration.
  • Application system backup / restore.
  • Logging / auditing access.
  • Cryptographic key functions (key generation, revocation, certificate requests, etc.).
  • Application / subsystem failure.
  • Application / subsystem start / stop.
 TRUE Approved Required Required Required TBD
APS-SL-03 For each security event recorded to a log file, the log file must contain:

  • An accurate date and time stamp synchronized to a UofT authorized time service.

The origin of the event (for example, terminal identity, IP address, hostname, program command, daemon process, user ID, etc.).

  • The activity being logged (for example, category or type of event).
  • The status or outcome of the activity (the event’s success or failure).
 TRUE Approved Required Required Required TBD
APS-SM Session Management Existing Status Public Confidential Restricted Effort
APS-SM-01 User session management must protect against man-in-the-middle, replay, and session hijacking attacks. TRUE Approved Required Required Required TBD
APS-SM-02 All communication sessions must be authenticated with an approved ID. TRUE Approved Recommended Required Required TBD
APS-SM-03 A user session or message must be authenticated with a password, secure token, digital certificate, or other secret value such as a PIN. TRUE Approved Recommended Required Required TBD
APS-SM-04 Authentication and authorization information must be protected (encrypted on the client-side or stored in the server session state store). TRUE Approved Required Required Required TBD
APS-SM-05 User sessions must be cleared when the session is over. Browser caches and cookies must be deleted upon logout if they contain session management information. TRUE Approved Recommended Required Required TBD
APS-SM-06 Session state identifiers must be maintained on the server. Unprotected session information must not be maintained on the client using hidden form fields, URL passed parameters, or other unprotected client side values. TRUE Approved Recommended Required Required TBD
APS-SM-07 Security decisions must not be based on client provided values that can be modified such as HTTP headers or the HTTP Referrer value TRUE Approved Required Required Required TBD
APS-SM-08 Cookies used to store session information, authentication, and authorization data must be encrypted. TRUE Approved Required Required Required TBD
APS-SM-09 Custom cryptographic routines must not be used or developed for use. Crypto-APIs (application programming interfaces) within UofT approved technologies must be used TRUE Approved Required Required Required TBD
APS-SM-10 User credentials and session identifiers must be encrypted during transmission at the session layer (e.g., TLSv1.2). TRUE Approved Required Required Required TBD
APS-SM-11 By default, application settings must be coded to not remember session data. TRUE Approved Required Required Required TBD
APS-SM-12 Users must be provided with a session logout option that will erase or overwrite session data. TRUE Approved Required Required Required TBD
APS-SM-13 Internet-facing user sessions must expire after no more than 15 minutes of inactivity (10m min recommended). Non-Internet-facing application session timeout requirements must be determined based upon a documented risk assessment. FALSE Proposed Required Required Required TBD
APS-SM-14 Internet-facing applications must not permit multiple concurrent user sessions with the same user ID. TRUE Approved Required Required Required TBD
APS-SM-15 All output must only be presented to authorized users who have a need to know. TRUE Approved Required Required Required TBD
APS-AM Administration Existing Status Public Confidential Restricted Effort
APS-AM-01 Passwords must not be hard-coded into the application code. TRUE Approved Required Required Required TBD
APS-AM-02 Segregation of duties for distinct administrative functions must be developed into the application. For example, privilege management functions (add/remove users) must be separated from system configuration functions TRUE Approved Required Required Required TBD
APS-AM-04 Configuration data must be protected by access control. TRUE Approved Required Required Required TBD
APS-AM-05 Configuration data must not be stored within the application’s web accessible directory TRUE Approved Required Required Required TBD
APS-DV Development Existing Status Public Confidential Restricted Effort
APS-DV-01 Source code must reside in a code repository protected by an access control mechanism TRUE Approved Required Required Required TBD
APS-DV-02 Write access to the code repository must only be given to those with a need to change source code TRUE Approved Required Required Required TBD
APS-DV-03 All code changes must be tracked using a source code version management system. TRUE Approved Required Required Required TBD
APS-DV-04 Promotion of code to production and UAT environments must not be done by anyone who has authored any part of the code TRUE Approved Required Required Required TBD
APS-CP Secure Coding Practices Existing Status Public Confidential Restricted Effort
APS-CP-01 Secure coding practices appropriate to the technologies being used must be followed to protect against known coding flaws. These include:
Protecting Against Buffer Overflow Conditions

  • Sufficient bounds-checking must be completed.
  • Input validation must be implemented. Protecting Against Invalid Input
  • All user-submitted input must be validated by the application for correct format, content, and length.
  • All user-submitted input that contains programming language must escape or filter specific characters and strings from user-submitted input from forms, fields, or URLs that the application may recognize as a scripted function.
  • Input validation must be conducted on the server-side. Client-side validation must never be used as a substitution for server-side input validation.
  • The application must be able to handle unexpected encoded, internationalized, and Unicode input. Protecting Against Cross Site Scripting
  • User-submitted hyperlinks must be validated.
  • User sessions must be authenticated and managed. Protecting Against Code Injection
  • Whenever one programming language is embedded inside another, protection against code injection vulnerabilities must be implemented.
  • Injected code must be filtered out from user inputs. Protecting Against Query String Manipulation
  • Query string parameters must not pass unencrypted authentication or authorization data.
  • HTTP POST must be used instead of HTTP GET to submit Web forms. Writing the Application to Run Securely and Consistently The application’s processes must run in user mode only. The application must not be developed so that it needs to run in privileged mode (for example, root or LocalSystem privileges).
  • Code must never be copied from, or pasted to, unapproved Internet-facing user groups, public chat forums, or unofficial Web sites.
  • Unapproved open source code must not be copied into UofT developed applications.
  • Obfuscation of key variables and sensitive code must never be used as a substitution for encryption.
  • Code must be designed to fail-safe. For example, access controls must deny access if an underlying process fails.
 TRUE Approved Required Required Required TBD
APS-CR Security Code Review Existing Status Public Confidential Restricted Effort
APS-CR-01 A formal process must be followed to ensure that appropriate code is selected and reviewed based on risk to ensure secure coding practices have been followed. Documentation of decisions must be maintained. TRUE Approved Required Required Required TBD
APS-CR-02 Code reviews must be conducted by a qualified individual who has not authored any part of the code. TRUE Approved Required Required Required TBD
APS-CR-03 Internet-facing application code must be reviewed by an independent internal party or external third party. TRUE Approved Required Required Required TBD
APS-TS Testing Existing Status Public Confidential Restricted Effort
APS-TS-01 Developers must not use write access in User Acceptance Testing (UAT) environments while user acceptance testing is being conducted TRUE Approved Required Required Required TBD
APS-TS-02 The criteria for information security testing must include all the security requirements identified during the Planning phase TRUE Approved Required Required Required TBD
APS-TS-03 Test results must validate all UofT security standard requirements prior to the application entering a production environment. TRUE Approved Required Required Required TBD
APS-TS-04 Additional approved security requirements that are not validated in testing must undergo a risk assessment TRUE Approved Required Required Required TBD
APS-IP Implementation Existing Status Public Confidential Restricted Effort
APS-IP-01 Code must be promoted from a source code repository. Proposed Required Required Required TBD
APS-IP-02 Code must be promoted to production using methods which protect the integrity of the code (e.g., use of cryptographic hashes or file integrity checkers such as Tripwire). TRUE Approved Required Required Required TBD
APS-IP-03 The application code and its supporting files must be promoted so that no developer support is required during installation into the production environment. TRUE Approved Required Required Required TBD
APS-IP-04 Segregation of duties must be implemented when delegating administrative functions in a production environment. For example, privilege management functions (add/remove users) must be delegated to personnel separate from system configuration administrators. TRUE Approved Required Required Required TBD
APS-IP-05 User accounts must be provisioned in accordance with the principle of least privilege. TRUE Approved Required Required Required TBD
APS-IP-06 Logging, debugging, and tracing levels must be set to the level determined for production TRUE Approved Required Required Required TBD