UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance for application software security requirements.
Resource Proprietors and Resource Custodians must ensure that secure coding practices, including security training and reviews, are incorporated into each phase of the software development life cycle.
Unsafe coding practices result in costly vulnerabilities in application software that leads to the theft of sensitive data.
For applications to be designed and implemented with proper security requirements, secure coding practices and a focus on security risks must be integrated into day-to-day operations and the development processes. Application developers must complete secure coding requirements regardless of the device used for programming.
A critical first step to develop a secure application is an effective training plan that allows developers to learn important secure coding principles and how they can be applied. Compliance with this control is assessed through Application Security Testing Program (required by MSSEI 6.2), which includes testing for secure coding principles described in OWASP Secure Coding Guidelines:
While OWASP (Open Web Application Security Project) specifically references web applications, the secure coding principles outlined above should be applied to non-web applications as well. Please refer to OWASP Secure Coding Guidelines to see a more detailed description of each secure coding principle. OWASP also runs a Faux Bank demo site that shows the top 10 vulnerabilities along with blog posts explaining the intricacies of each vulnerability.
Listed below are examples of training courses that can be used to gain proficiency in secure coding principles:
Alternately, relevant books and reading material can also be used to develop proficiency in secure coding principles, provided that sufficient time is allocated to staff for self-study.
Secure coding practices must be incorporated into all life cycle stages of an application development process. The following minimum set of secure coding practices should be implemented when developing and deploying covered applications:
While there is no campus standard or prescriptive model for SDLC methodologies, the resource proprietor and resource custodian should ensure the above major components of a development process are defined in respect to the adopted development methodology, which could be traditional waterfall model, agile or other models.
The Information Security Office (ISO) will help you evaluate your web-based application’s security posture by scanning it with an automated application vulnerability scanner and review the scanner findings with a designated representative from your unit. For details of the service, please visit the service overview page.
(The following links are provided for information and planning purposes. The requirement to conduct code reviews will become effective July 1, 2014, and will not be included in MSSEI assessments prior to that time.)