• Home
  • KUMC Secure Application Development

KUMC Secure Application Development

Policy
Purpose: 

Principle

Applications developed by personnel employed or contracted by KUMC departments must meet KUMC standards for secure application development.

Purpose
The purpose of this operational protocol is to assure that the programming of custom applications conforms to best practices for secure application development.

Applies to: 

All KUMC faculty, staff, and students.

Campus: 
Medical Center, Kansas City
Wichita
Salina
Policy Statement: 

Minimum Application Development Standards

All applications hosted on KUMC infrastructure must comply with the following set of minimal practices.

#

Practice

Public-facing

Contains sensitive information

1

Ensure applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to, such possibilities as cross-site scripting, buffer overflow errors, and injection flaws. See http://www.owasp.org/ for more information and examples.

Required

Required

2

Ensure applications execute proper error handling so that errors will not provide detailed system information, deny service, impair security mechanisms, or crash the system. See http://www.owasp.org/ for more information and examples.

Required

Required

3

Ensure applications authenticate users through central authentication systems where possible, specifically, Central Authentication Services (CAS), Active Directory, LDAP , or Shibboleth.

Recommended

Required

4

Establish authorizations for applications by affiliation, membership, or employment, rather than by individual.

Recommended

Recommended

5

Services or applications running on systems manipulating confidential data must implement secure (that is, encrypted) communications as required by sensitive information and integrity needs. See the Sensitive Information in Electronic and Paper-Based Formats policy for more information. 

Recommended

Required

6

Conduct code-level security reviews with professionally trained peers for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of sensitive information, documenting the actions that were taken.

Recommended

Required

7

Maintain source code separate from compiled code, ideally in a centralized code repository like CVS or Team Foundation Services that is regularly groomed and backed up.

Recommended

Recommended

8

Locate services or applications on infrastructure that is actively managed, ie, updates are applied, backup procedures are in place, etc.

Required

Required

9

For software run on the desktop, ensure you have a process in place to manage deployment to the clients for updates and patches.

Recommended

Recommended

10

Applications and services must comply with state and federal guidelines regarding web accessibility. See the Web Resource Availability policy for more information.

Required

Required

 

Web-based applications should comply with university visual identity standards

Required

Required

 

Additional notes:

  • Departments are encouraged to consult with the Department of Information Resources prior to engaging any custom application development to assure that centralized, freely available full-time programming resources can't be used in some capacity, including defining requirements, scope, architecture, security, data modeling, project management, etc.
  • Applications must work on existing infrastructure.
  • All applications will be reviewed by Information Resources programming staff before being loaded on KUMC web servers or otherwise made available for use.
  • On request, source code and documentation will be provided to Information Resources.
  • Prior to installation on KUMC's production environment, applications will be loaded on the IR-managed testing environment. IR staff will assist in this process.
  • Departments should assign one or more staff as Application Administrator(s) to manage the day-to-day activities associated with the application and a point-of-contact for working with IR on on-going technical activities including loading patches/updates, backup recovery, and configuration.
  • Departments should make provision for ongoing technical support of the application, whether through local programming resources, an SLA with Information Resources, or a maintenance contract.
Consequences: 

Systems not in compliance will be disconnected from the network or disabled.

Contact: 

For information on this policy, please contact:

Jameson Watkins
Director of Customer Innovation and Support
Department of Information Resources
University of Kansas Medical Center
4021 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7387

Michael Harmelink
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-4900

Approved by: 
Chief Information Officer
Approved on: 
Wednesday, February 1, 2012
Effective on: 
Wednesday, February 1, 2012
Review Cycle: 
Annual (As Needed)
Keywords: 
development, applications
Review, Approval & Change History: 

2014-03-03: Moved into KU Policy Library.

Information Access & Technology Categories: 
Privacy & Security

Policy Library Search
Can't Find What You're Looking For?
One of 34 U.S. public institutions in the prestigious Association of American Universities
26 prestigious Rhodes Scholars — more than all other Kansas colleges combined
Nearly $290 million in financial aid annually
1 of 9 public universities with outstanding study abroad programs.
—U.S. News & World Report
46 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
$260.5 million in externally funded research expenditures
23rd nationwide for service to veterans —"Best for Vets," Military Times