OIS SAD SC V1.0 21 November 2013

ahemcurrentΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

91 εμφανίσεις

Software Application Development


Security Considerations





Page
1











W
OODLANDS
C
AMPUS










O
FFICE OF
I
NFORMATION
S
ERVICES



S
OFTWARE
A
PPLICATION
D
EVELOPMENT

S
ECURITY
C
ONSIDERATIONS


V
ERSION
1.0

21 November 2013

Software Application Development


Security Considerations





Page
2


Version Control

0.1

Document Information

Prepared By

Joseph Lim

Department

Office of Information
Services

Date Prepared

08 October 2007
15:24:00

Last Updated By

Nicholas Wang

Last Updated
Date

21 November 2013
03:47:00

0.2

Version History

Date

Version
Number

Author

Description of Changes

21/11/2013 03:47:00

1.0

Joseph Lim

Creation of Documents & Initial Input

21/11/2013 03:47:00

1.0

Nicholas Wang

Review with Minor Update

















0.3

Distribution List

Name

Departments

Rights

Master Copy
(Original)

Director OIS

Deputy Director OIS

Manager System
Management

Managers


Helpdesk

Full Access Rights


All OIS Staff

Read Only


All Staff

Read Only

Software Application Development


Security Considerations





Page
3




This document gives an overview on security considerations during software development
processes.


Security should always be considered during almost all
phases of software development life
cycles.



1. Requirement Gathering, consider following


a. Data classification


b. Transaction tracking and audit logs


c. Private data exposure


d. Access control, on both UI and data


e. Error handling


2. Choose of
experienced vendor and programmers


3. System Design


a. 3
-
tier

or more. No business logics allowed in Aspx page.


b. Keep all audit logs


c. Email important actions


d. File storage (Weak), SharePoint service


e. Access control, or User and Role managemen
t (define business owner to be admin,
and admin to manage the rest)


f. Cookies can be used for authentication purpose, but must be encrypted


g
. follow a framework, for example, OWSAP (waiting for implementation)


4. System Design review and DB design
review


(DB design standards)


5. Codes standard


a. No hard
-
coded value


b. Comments in core business workflow


c. Exception Handle


d. Input validation/Query validation to avoid SQL injection and Cross site scripting


e. For internal website, use windo
ws authentication for all pages, instead of using cookie
and session to identify user and role (not all comply because of function requirements)


f. File name validation to avoid uploading of executable files


g
. Use commercial software (Fortify, Ouncelab
and Armorize) to do code review
(pending evaluation and implementation)


6. Production Management


a. Documentation (www.rp.sg/deploy) (Production Team)

Software Application Development


Security Considerations





Page
4



b. Version Control using VSS (Production Team)


c. Server/data backup/restore plan (Network team)


d.

Network security, SSL (Network team)


e. customized Error page (public websites)


f. Daily Log scan (Scheduled task)


g.
Encrypted

connection string (Pending implementation)


h
. Credential information protection (weak) and Web content scan (in process to
call
ITQ)


i. Each web application to use
its own application pool



7. System Review


a. Engage 3rd party to do puncture test (Application, Network and Server)



8. Windows Application


a. Use web service to get data, one or two still use connection
string (need
enhancement)


b. Encryption of private key