Software Security Guidelines

The following guidelines are intended to provide criteria to be used in evaluating the security of software for use at UF, and/or to guide purchase or development of software. These guidelines will be used as part of the Risk Assessment process when evaluating the risk of software.

General security features

  1. Authentication uses GatorLink accounts. Web applications use Shibboleth, workstation access uses UFAD.
  2. Use of the software does not interfere, preclude, or circumvent anti-virus controls of the end-user device, server or network.
  3. Does not require privileged access on end-user devices to function.
  4. Applies the principle of least privilege for access to data and application functionality.
  5. Role-based authorization, implemented preferably via ARS roles or university affiliations. Use of UFAD groups is acceptable if preferred methods are not available, but procedures must be in place to monitor and modify role assignments based on personnel and job duty changes.
  6. Capability to log activity per the UF Audit and Logging Policy and Standard.

Web application security features

  1. Follow OWASP guidelines. The OWASP 2016 top 10 proactive controls are:
    1. Verify for Security Early and Often
    2. Parameterize Queries
    3. Encode Data
    4. Validate all inputs
    5. Implement Identity and Authentication Controls
    6. Implement Access Controls
    7. Protect Data
    8. Implement login and intrusion detection
    9. Leverage security frameworks and libraries
    10. Error and exception handling
  2. Web applications should be reviewed and/or tested by someone other than the primary developer, to identify security concerns and faults.
  3. A developer should be retained to address security concerns and/or bugs as they are discovered.