Software Security Guidelines
The following guidelines are intended to provide criteria to be used in evaluating the security of software for use at UF, and/or to guide purchase or development of software. These guidelines will be used as part of the Risk Assessment process when evaluating the risk of software.
GENERAL SECURITY FEATURES
- Authentication uses GRC accounts. Web applications use ADFS, workstation access uses AD.
- Use of the software does not interfere, preclude, or circumvent anti-virus controls of the end-user device, server or network.
- Does not require privileged access on end-user devices to function.
- Applies the principle of least privilege for access to data and application functionality.
- Role-based authorization, implemented preferably via AD groups, but procedures must be in place to monitor and modify role assignments based on personnel and job duty changes.
- Capability to log activity per the GRC IT Security Program.
WEB APPLICATION SECURITY FEATURES
- Follow OWASP The latest OWASP Top 10 Proactive Controls can be found here.
- Web applications should be reviewed and/or tested by someone other than the primary developer, to identify security concerns and faults.
- A developer should be retained to address security concerns and/or bugs as they are discovered.