Applications security is a process that starts at the beginning of the application development cycle or with the procurement process. The security of an application is tied to almost every aspect of information technology and can be incredibly difficult to ensure. Applications security encompasses the development process (coding), the system or hardware it runs on, the network it is connected to and the authentication and authorization methods used to gain access to the system both by users of the application and administrators.
The first, and often the most important, aspect of applications security starts with the application itself. The Division of IT recommends that developers follow the framework for secure applications provided by the Open Web Application Security Project (OWASP). System administrators and network engineers should also familiarize themselves with this project.
MU departments are now required by policy to ensure that their applications are secure:
The Division of IT has implemented two new tools to help application owners meet this policy and more importantly ensure their applications can be trusted:
The Application Registry is a database that tracks the applications owned, developed or utilized by University of Missouri departments. The Registry tracks the purpose of the application, who is responsible for it, and classifies the data that it uses. The Division of IT uses the Application Registry to schedule applications for initial and ongoing security inspections.
The Data Classification System (DCS) categorizes the types of data that many of our applications use and provides rules for how to secure the systems that house those applications. The new security auditing requirements are dependent on the data classification level of your application. See additional information on the new auditing requirements.
Contact ISAM at firstname.lastname@example.org for more information on applications security.