Web Applications should meet as many of the controls under the Application Security Standard as apply to the application, including controls for identity and authentication.
The following minimum controls are for web applications making use of Weblogin to provide access. (Note. Using Weblogin uses the University’s Identity and Authentication controls).
|Examples of Security Standard Controls met|
|1||Management contacts||There should be an Application Manager who is responsible for ensuring process are in place to maintain this application and the data in the application (costs of maintaining the application; duration for which is required; removal of data; control of data and access to it). This may be the Unit Manager responsible for IT; if not the Unit Manager still has overall responsibility for applications within the unit.||IAM-GN-01;07;ICP-CL-03|
|2||Technical Contact||There should be a technical contact responsible for the application.||IAM-GN-01|
|3||Fine Grained Access Controls||User accounts must be provisioned in accordance with the principle of least privilege, and fine grained controls provide for this.||APS-AC-04;SM-15;AM-02|
|4||Change to Default Credentials||Default and/or vendor supplied credentials should be changed or disabled prior to implementation in a staging or production environment.||APS-AM-01|
|5||Application Security Scan||The application should be regularly scanned (annually and after major code updates) to check for vulnerabilities. Any high level vulnerabilities found should be resolved.||OPS-SH-01; OPS-PT-05|
|6||Data in transit||Confidential Data in transit should be securely encrypted. Use https://www.ssllabs.com/ssltest/ to check. Remember to click on the button “Do not show the results on the boards”.||APS-SM-10;ICP-DP-04|
|7||Synchronization with UofT time service||NTP configuration is required for the Shibboleth/SAML service provider software. It is highly recommended for the application platform to ensure collatable log entries.||APS-SL-03|
|8||Application Patching||Application security patches should be deployed in a timely manner.||OPS-PM|
|9||Validation of Input and Output||The application should validate and restrict input and output, allowing input and output of only those data types that are known to be correct.||APS-CP-01|
|10||Error Message handling||The application should execute proper error handling so that error messages do not reveal potentially harmful information to unauthorized users (e.g. detailed system information, database structures, etc.)||APS-AH-01;03|
|11||Protection of Configuration data||The application should be configured so that configuration data is not stored within the application’s web accessible directory.||APS-AM-04|
|12||Integrity of Application Code||Source code must reside in a code repository protected by an access control mechanism.
Write access to the code repository must only be given to those with a need to change source code.
|13||Application Sessions||Application sessions should be uniquely associated with an individual or system.||APS_SM-02|
|14||Session Identifiers||Session identifiers Should be generated in a manner that makes them difficult to guess||APS-SM-01|
|15||Regeneration of Session Identifiers?||Session identifiers should be regenerated if there is a change in the access profile of a user or system||APS-SM-11|
|16||Maintenance of Session Identifiers||Session state identifiers should be maintained on the server. Unprotected session information must not be maintained on the client using hidden form fields, URL passed parameters, or other unprotected client side values.||APS-SM-04;06;07|
|17||Active Session Timeouts||Active sessions should timeout after a period of inactivity; the period will be dependent on the requirements of the application.||APS-SM-13|
|18||Application Change Controls||Application change control procedures should be documented and followed. (E.g. Changes are tested in development before updates are transferred to production).||APS-DV-03|
|19||Development to Production Controls||Functionality that allows security controls in development to be bypassed should be removed or disabled prior to implementation in a staging or production environment.||APS-AM-01;04;05;DV-01;ICP-CN-01|
|20||Logging||Attempts (successful or unsuccessful) to access the application logged should be logged. Changes to authorization (e.g. adding, modifying or revoking access) should be logged.||APS-SL-02; APS-IP-05; ICP-DP-05|
|21||Protection of logs||Application logs should be protected against tampering (e.g. by copying them to a separate log server)||APS-GN-01;OPS-SM|