Web Application Security Standard

June 7, 2010

Purpose

This document provides the minimum security requirements for web applications developed, owned or managed by State agencies.

Overview

State agencies use web applications to offer services, collect and disseminate information. Cyber criminals increasingly target web applications to steal confidential data and spread malware. State agencies shall ensure that their web applications meet a minimum set of security requirements.

Scope

For the purpose of this standard, security is defined as the ability to protect the confidentiality, integrity, and availability of information processed, stored and transmitted by agencies via web applications. Information technology assets covered by this policy include those that process, store, transmit or monitor digital information.

This standard applies to all agencies as defined by Iowa Code Chapter 8A, Section 101. Non-participating agencies are encouraged to follow the guidelines in this and other enterprise level policies, standards, guidelines, processes and procedures.

Definitions

Selected terms used in the Enterprise Web Application Security Standard are defined below:

• Application: A computer program or set of programs that meet a defined set of business needs.
• Availability: Ensuring timely and reliable access to and use of information.
• Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
• Development: Environment for incomplete versions of an application; initial deployment for testing; and informal testing by the project team.
• Integrity: Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
• Production: Environment for final deployment of applications for usage by intended audience.
• Test: Environment for preparation for production deployment. Formal testing including functionality; performance; scalability; user acceptance and security is performed.
• Web application: An external application that is accessed via a web browser over the Internet.

Elements

The following are the elements of the Enterprise Web Application Security Standard.

1. Social Security Numbers:
   1. Social Security numbers shall not be used as a User Id or password during logon for web applications.
   2. Social Security numbers shall not be displayed in full on web applications beyond the initial data entry screen
2. Development: Agencies engaged in application development must implement separate development, test, and production environments for the applications they develop. Agencies involved in application hosting must implement separate test and production environments.
   1. Agencies must remove test data and accounts from production systems before these systems become live.
3. Production Data: Use of confidential data in test environments requires agency management approval.
   1. Test environments using confidential data shall meet standards equivalent to the production system.
4. Coding Vulnerabilities: Agencies shall develop web applications based on secure coding guidelines and eliminate common coding vulnerabilities. At a minimum agencies must meet the current Open Web Application Security Project (OWASP) guidelines http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project to prevent:
   1. Injection (SQL, LDAP, etc.)
   2. Cross-Site Scripting (XSS)
   3. Broken Authentication and Session Management
   4. Insecure Direct Object References
   5. Cross Site Request Forgery
   6. Security Misconfiguration
   7. Failure to Restrict URL Access
   8. Unvalidated Redirects and Forwards
   9. Insecure Cryptographic Storage
   10. Insufficient Transport Layer Protection

5. Application Testing: Agencies shall review and test web applications for security vulnerabilities using an automated web application scanning tool. Application review shall include source code and run time analysis.

   1. Web applications shall be scanned using all application roles (ex. user and admin).

   2. New web applications must be scanned before going to production.

   3. Existing web applications must be scanned annually and whenever significant changes are made to the application.
   4. Critical/high vulnerabilities identified by the web application scans shall be remediated.
   5. The web application review must be conducted by someone other than the developer.
   6. The Information Security Office shall maintain a list of criteria for approved web application scanning tools.
6. Change Management: Agencies shall implement a change management procedure for deployment of agency web applications. Separation of duties shall be implemented to prevent developers from publishing their own applications to the production environment.

7. Encryption: Web applications collecting or displaying confidential data must encrypt the data in transit.
   1. Data in transit shall be protected with SSL 3.1/TLS 1.0, equivalent or higher method of encryption.
8. Log-on Banner: Web applications which require a log-on shall have a log-on banner. The banner shall be approved by the agency's legal counsel and notify users that:
   1. Users are entering a State of Iowa system
   2. Access is limited to authorized use only
   3. Users consent to monitoring
9. Access Control: User authentication is required for all web applications that collect, transmit, display or store confidential data or where the integrity of the data must be maintained. Required access controls include:
   1. User ID: Each user must have a unique user ID.
   2. Access Review: User group roles and rights must be reviewed at least quarterly.
   3. Passwords:
      1. At least eight characters
      2. A mixture of numbers, upper alphabetic and lower-case letters
      3. Include at least 1 special character
      4. Changed at least every sixty days
      5. Passwords shall not be transmitted in clear text
   4. Log Off: Applications shall log off users after 20 minutes of inactivity.
   5. Failed Log-In:
      1. Accounts are locked after five failed login attempts within 60 minutes.
      2. Users shall remain locked out for 24 hours or until the account is reset by an administrator.
      3. A message will display directing the user who to contact when this event occurs.
10. Logs: Web application logs must be collected and reviewed for security events. These logs must meet agency data retention requirements. Minimum security events to be logged include:
    1. Startup and shutdown
    2. Authentication
    3. Authorization/permission granting
    4. Process invocation
    5. Unsuccessful logins
    6. Unsuccessful data access attempt
    7. Data deletions
    8. Data transfers
    9. Application configuration change
11. Application Firewall: An application firewall shall be installed in front of all external web facing applications.
12. Source Code: Access to web application source code shall be restricted to authorized employees.
13. Database: Backend databases shall not be hosted on the same physical server as web applications in production.
14. Training: Web application developers must receive technical training annually in secure coding techniques.