Application Security

Below are a number of resources to help keep your applications secure.

General

Security Scans and Assessments

Listservs and Feeds

Learning

General

Return to top

Application Security Best Practices

By following application and website security best practices, application owners can take proactive steps to significantly reduce or eliminate vulnerabilities in software before deployment. These vulnerabilities potentially provide attackers with the ability to take control of a server or computer, which can result in the compromise of UCSF data, personal data, denial of service, loss of service, or damage to a system used by thousands of users.

OWASP - Open Web Applicaiton Security Project

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and available to anyone interested in improving application security. OWASP also publishes a Top 10 list, which represents a broad consensus of the most critical web application security flaws.

Developers must understand secure coding principles and incorporate secure coding practices into the development processes. The OWASP Secure Coding Guidelines provides a checklist to assess compliance. Developers should also understand secure coding standard specific to the language they are coding in.

SSL Certificates

Websites that use authentication or transmits/receives UCSF data must encrypt data in transmit. SSL (Secure Sockets Layer) certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. UCSF provides certificate services for free to the UCSF community.

UCSF Minimum Security Standards

All devices and applications at UCSF must meet the Minimum Security Standards. When developing applications it is especially important that these standards are understood and followed. Applicable topics include transmission encryption, authentication encryption, passwords, patching, vulnerability management, and systems inventory.

Security Scans and Assessments

Return to top

It is the responsibility of the web application owner to keep their web application up-to-date on security patches, and to keep an up-to-date application inventory record in the enterprise configuration management database (CMDB). Keeping up-to-date patches and inventory records is the first step in maintaining web application security. UCSF provides the following scanning and assessments tools and services as information assurance steps to validate the aggregate system security posture.

UCSF Netsparker Web Application Security Scan

Netsparker is a web application security scanner that finds vulnerabilities such as SQL injection and cross-site scripting (XSS) within a web application. Contact [email protected] or the UCSF IT Service Desk to initiate a vulnerability scan of your web application. It’s advisable to scan on a regular basis or after any major changes to your application.

Note that if you are planning on performing a vulnerability scan of a web application hosted on AWS you must submit a request to Amazon before starting a scan.

UCSF Nessus Vulnerability Scan

Nessus will find vulnerabilities in the operating system, network, and database layers that your application runs on. These vulnerabilities are often due to an out-of-date operating system and/or insecure network applications (SSH, FTP, etc.) Contact [email protected] or the UCSF IT Service Desk to initiate a scan.

Nessus vulnerability scan is not available for servers hosted in the cloud.

UCSF Risk Sonar Security Risk Assessment (formerly Delphiis)

All UCSF systems need to go through a security risk assessment. This process measures the security aspects of all computing devices involved in a system, such as applications, computers, servers, routers, switches, network connections, and other types of technologies.

Listservs and Feeds

Return to top

UCSF Security Listserv

[email protected]

The security listserv provides up-to-date notifications on recent security vulnerabilities. Notifications include what happened, users impacted, affected versions, action required, and related links.

Learn how to subscribe to a listserv here

CVE (Common Vulnerability Exposures) Data Feed

Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cyber security vulnerabilities. Use of CVE Identifiers, or "CVE IDs," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.

NVD (National Vulnerability Database) Data Feeds

The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Learning

Return to top

O'Reilly's Safari Bookshelf

The UCSF Library has a subscription to O’Reilly’s Safari Bookshelf, which has numerous e-books on topics such as Java, mobile, Apple, web and game programming, server and network administration, security, databases, and desktop and web applications to name just a few categories.

UCSF Skillsoft

Through the UC Learning Center Skillsoft offers numerous online courses in a variety of topics, including IT, software development, and security. Security certification courses include CompTIA’s Security+ and ISC2’s CISSP.