Software Security Guidelines

Software Security Guidelines

The following guidelines are intended to provide criteria to be used in evaluating the security of software for use at UF, and/or to guide purchase or development of software. These guidelines will be used as part of the Risk Assessment process when evaluating the risk of software.


  1. Authentication uses GRC accounts. Web applications use ADFS, workstation access uses AD.
  2. Use of the software does not interfere, preclude, or circumvent anti-virus controls of the end-user device, server or network.
  3. Does not require privileged access on end-user devices to function.
  4. Applies the principle of least privilege for access to data and application functionality.
  5. Role-based authorization, implemented preferably via AD groups, but procedures must be in place to monitor and modify role assignments based on personnel and job duty changes.
  6. Capability to log activity per the GRC IT Security Program.


  1. Follow OWASP The latest OWASP Top 10 Proactive Controls can be found here.
  2. Web applications should be reviewed and/or tested by someone other than the primary developer, to identify security concerns and faults.
  3. A developer should be retained to address security concerns and/or bugs as they are discovered.