Web application security assessments must be performed to identify potential or realized weaknesses (e.g., insecure
coding, inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information
leakage) per the Vulnerability Management Policy.
Web applications must follow regular security or out-of-band assessments if one of the following criteria are met:
New or significant application releases are subject to the Software Development Life Cycle and Secure SDLC before
approval of the change control documentation or release into the live environment.
Third-party or acquired web applications (i.e., commercial applications for which source code is not available) must
be scanned when installed or upgraded, and the vulnerabilities must be reported to the University Information
Security Office (UISO), and the vendor for correction.
Shared accounts are prohibited, except where it is not technically possible to individually provision accounts.
All Internet-facing web applications should deploy the UISO approved technical controls (e.g., Web Application
Firewall (WAF) or Intrusion Prevention System (IPS)).
Other security controls include but are not limited to, the following:
Access controls,
Configuration changes (you must submit non-agreed upon configuration changes to the UISO for review),
Authentication (multi-factor authentication must be used for except where it is not technically possible),
Data protection (e.g., encryption, data masking),
Error handling and logging,
Input and output handling, and
Session management.