IT Application Secure Coding Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. Information and the activities that depend on information are among our most valuable university assets and must be safeguarded against software security vulnerabilities. This Standard ensures that applications developed or administered by FSU reflect secure coding practices that reduce the likelihood of unauthorized disclosure or theft of sensitive institutional information and ensure the ongoing availability of critical university resources.

Insecure software coding and web application design can leave data and IT systems vulnerable to exploitation. This Standard’s primary purpose is to reduce:

  • the likelihood that malicious code will be inserted into software or successfully executed against a running application.
  • the impact of malicious code or vulnerabilities already present in deployed software, mobile or web applications.

Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the Request for Exception to IT Security Policy.

II. Definitions

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function Category Desired Outcome
(Subcategory)
Identify
(ID)
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy ID.AM-2: Software platforms and applications within the organization are inventoried
Protect
(PR)
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
PR.DS-7: The development and testing environment(s) are separate from the production environment
PR.IP-2: A System Development Life Cycle to manage systems is implemented
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets
PR.IP-3: Configuration change control processes are in place

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Application Custodian
The Dean, Director, Department Head or other manager who is ultimately responsible for an application system, including appropriate security safeguards.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting and use of university data resources, based on the Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.

For more information, see IT Roles and Responsibilities.

Application Requirements

Education, research, clinical, administration and other core services often require providing access to university applications and data across multiple systems. This Standard identifies application security requirements for enterprise applications and applications based on the classification of the data being processed, stored, and transmitted as defined by the Data Security Standard.

Application Custodians are responsible for ensuring security and privacy safeguards for:

  • Applications, data, workstations, and devices with access to High Risk and Moderate Risk data and applications.
  • Security of account credentials issued that provide access or APIs to enterprise applications or systems.
  • Security of data, applications and APIs that access or accept transferred High Risk or Moderate Risk data as a result of enterprise integration requests.

Application Custodians may delegate functions to authorized users, but accountability remains with the Custodian.

Software and application developers and administrators must ensure that secure coding practices are incorporated into each phase of the software development life cycle and extend to connected systems, such as database servers used to store application data. They are responsible for reviewing the code and implementing appropriate application security controls for systems under their management and supervision. An automated code review tool such as Semgrep be used for this purpose.

This Standard applies to FSU staff as well as third-party vendors contracted by FSU to perform application services.
Requirements for application security and secure coding include:

  1. Application Development:
  • Application security must be fully integrated throughout the Software Development Lifecycle (SDLC), as defined by formalized software implementation guidelines. Guideline requirements include periodic security training for developers, formal attestation of compliance by developers, periodic review of guidelines for compliance with regulatory requirements, default baseline configuration for applicable applications, monitoring of formal Service Level Agreements (SLAs) for third parties, and a process to incorporate best practices and lessons learned into the SDLC guidelines.
  • Application Custodians and Data Custodians are responsible for defining security-related business requirements (e.g., identification of protected data, specifications of groups or users who will be authorized access, etc.). Based on these requirements, the application development team will implement appropriate controls to minimize risk to the IT infrastructure and other university resources.
  • Applications that house or interface with High Risk or Moderate Risk data must have processes for tracking access and modification of the data.
  • Detailed application security documentation shall be maintained and be available upon request to ISPO. For example, screen and data mapping.
  • Secure coding principles must be incorporated into the security architecture and development lifecycle. This includes defining detailed security requirements early in the software development life cycle and then evaluating for compliance with those requirements.
  • Applications must be reviewed before and regularly after implementation to ensure security controls are appropriate.
  • SDLC guidelines shall include a process that ensures appropriate consultation or involvement from ISPO for vulnerability scans, code reviews, and penetration test before systems are deployed.
  • Development and test infrastructures shall be physically or logically separated from the production infrastructure.
  • Databases and files containing critical, High Risk or Moderate Risk information shall be placed in an internal network zone segregated from the Internet-facing network segments.
  • Technology managers shall restrict and tightly control the use of utility programs that may be capable of overriding system and application security controls.
  1. Software/Application Patching:
  • FSU’s network, systems, and data must be protected from damage or loss due to threats such as worms, viruses, data loss, or other types of external or internal attacks. This requires the timely and consistent application of vendor-supplied security patches, mitigation of reported vulnerabilities, and other practices in accordance with the IT Vulnerability Management Standard.
  1. Use of Production Data for Development or Testing:
  • Production data must be protected.
  • Development and test environments may not use production data classified as High Risk or Moderate Risk without written approval from the Data and Application Custodians. Controls must be in place to ensure protection, restricted access and auditing of the data. Production data must be removed when testing is complete.
  1. Use of Acceptance, Staging, or Quality Assurance Environments:
  • Pre-production environments may be used to facilitate application testing prior to the production deployment of software and related systems, which may require use of production data. Therefore, these environments must be maintained using production-level infrastructure services and must have the same information security controls and operational management standards as the corresponding production environment. The benefit of such environments should be weighed against the cost and risk associated with running the functional equivalent of a secondary production environment.
     

Web Application Standards

Software and web applications that fall under this Standard are required to meet OWASP Secure Coding Requirements or their equivalent. Examples include:
 

Ref # Secure Coding Practices INFORMATION CLASSIFICATION
High Risk Moderate Risk Low Risk
1 Validate input and allow only those types of input that are known to be correct to protect against cross-site scripting and injection flaws and similar vulnerabilities Required Required Required
2 Execute proper error handling so that errors do not provide detailed system information, deny service, impair security mechanisms, or crash the application Required Required Required
3 Authenticate end users through FSU-approved enterprise authentication systems. For example, Single Sign-On (CAS) Required Required Recommended
4 Require 2-Factor Authentication (2FA) for end user access to the application Required Required Recommended
5 Comply with IT Enterprise Application Integration Standard Required Required Recommended
6 Adhere to principle of least privilege for all application and system access; wherever feasible, provide access based on role, affiliation, or membership, rather than by individual as defined by the IT Access, Authorization and Authentication Standard Required Required Recommended
7 Review access given to individuals and those given access based on roles, affiliations, or memberships on an annual basis Required Required Recommended
8 Encrypt network traffic based upon the Encryption Standard and fulfill any specific regulatory mandates Required Required Required
9 Implement application logging and ensure compliance with the IT Log Collection, Analysis and Retention Standard Required Required Required
10 Conduct code-level security reviews with professionally trained peers for all new or significantly changed applications and any software dependencies Required Required Required
11 Use quality assurance techniques, such as static code analysis and application scanning, to identify and eliminate vulnerabilities. Conduct web application vulnerability scanning prior to go-live, when major changes or revisions are implemented, and on an annual basis Required Required Recommended
12 Establish a schedule to identify and remove obsolete or no longer supported or needed software or applications. Identified software and applications must be decommissioned Required Required Required
13 Implement and maintain a formal production migration and change management process for production applications, including signoff validating successful completion of the Secure Coding Practices identified in this Standard Required Required Recommended

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the IT Incident Response Standard for more information.

IV. References


Back to Top | Back to Standards