IT Security Committee Item: SC-0006 Standard: UC Secure Software Development
Last Updated: 08/21/2019 Page 5 of 10 Editor: Robert Smith
● System architecture (e.g., web, applications, user interfaces, programmatic
interfaces, file import/export, reports, databases).
● Documentation.
● Change management (See IS-3, III).
● Testing, including creating test plans, reviewing test results and confirming
fixes and patches.
● Secure deployment practices and separation of duties.
Regarding code review, Units developing software that will process, store or transmit
Institutional Information classified at Protection Level 3 or higher or Availability Level 3
or higher must:
● Perform code reviews to reduce cyber risk.
● Consider and check for common security mistakes.
● Include in the review process a senior software developer and, if possible,
choose an independent one.
● Include in the review process an IT Workforce Member with specific security
experience.
● Use automated secure code testing/checking tools:
o Perform static code analysis.
o Perform dynamic code analysis.
4.2 Input Validation
IT Workforce Members developing software must:
● Validate user input before using the input data programmatically.
● Sanitize or reject invalid user input to protect against code injection attacks.
● Include user interface controls in the input validation strategy to make
compliant and safe input easy for the user.
● Protect against buffer overflow attacks.
● Protect against array index errors.
● Protect against parameter manipulation attacks.
● Use parameterized SQL queries.
● Defend against SQL injection attacks.
● Put all SQL code/commands in server-side code.
o Do not use concatenated database queries.
o Do not put SQL in client-side code.
● Set Autocomplete=off in HTML to prevent the caching of sensitive
information.
● Protect against URL query string manipulation attacks.
IT Workforce Members developing software must not use the following types of
information in the URL/URI:
● Credentials.
● Access tokens, serial numbers or record numbers.
● PII (e.g., names, SSNs, driver’s license numbers or dates-of-birth).
● PHI (e.g., a Medical Record Number, diagnosis, condition or name).
4.3 Exception and Error Handling
IT Workforce Members developing software must: