BP 8111 Software Development

Statement of Purpose

PCC’s Information Security Policies support the following goals:
1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
2. Ensure that PCC complies with all applicable laws and regulations.
3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
4. Ensure that users are protected from data breach and cybercrime.
5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
6. Prevent unauthorized disclosure of controlled sensitive data.
7. Prevent disruption of the learning experience.
8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
9. Ensure that IT systems are used for their intended purposes.
10. Establish processes for addressing policy violations and sanctions for violators.

In addition to network, hardware and operating system vulnerabilities, software applications themselves can be vulnerable to attack based on the way they are coded. There are known design patterns for software development that result in cyber risk and established coding best practices known as “secure coding techniques” to prevent these vulnerabilities being implemented in software code.

This policy seeks to ensure that any development work done by PCC IT staff is free of code vulnerabilities.

Scope Statement

This policy applies to any software code deployed to the PCC production environment and/or any code that accesses PCC controlled sensitive data.

Accountable and responsible individuals are PCC IT staff that develop code, whether application code or scripting. Third parties that provide application software to PCC that accesses controlled sensitive data are also subject to this policy.

Policy Summary

The design and development of software deployed on Portland Community College (PCC) Information Technology (IT) resources shall adhere to industry best practice secure development standards.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

SEPARATION OF ENVIRONMENTS
1. PCC shall maintain Development (DEV) and/or test environments separate from the Production (PROD) environment of its primary enterprise systems.
2. If there is connectivity with the PROD PCC network, access controls shall be in place to enforce separation.
3. All code promotion to the PROD environment shall be accomplished by a designated agent in accordance with Change Management standards and policy.

SYSTEM DEVELOPMENT LIFECYCLE
1. Internal and third party development and deployment of software shall utilize industry recognized Software Development Lifecycle (SDLC) best practices.
2. For applications that handle confidential data, security controls shall be implemented throughout the development lifecycle and shall be enforced when the code is updating databases.

SYSTEM DEVELOPMENT LIFECYCLE STANDARDS
1. Requirements Analysis – Developers shall determine whether application requirements are inherently insecure.
2. Design – Application components shall be planned in a manner consistent with data and network security.
3. Development – Developers shall consider all application vulnerabilities (i.e., memory-bound issues, privilege and access bypass, etc.).
4. Code Review – A second developer shall conduct code reviews of all new and changed software, specifically in an attempt to identify security issues.
5. Quality Assurance (QA) Implementation – Implementation shall not compromise security controls already in place, or introduce new vulnerabilities.
6. QA Testing – In addition to functional and efficiency testing, all security features of the application shall be tested.
7. Documentation – All application feature and implementation documentation shall include direction on proper security configurations.
8. Production Implementation – Implementation shall not compromise security controls already in place or introduce new vulnerabilities.
9. Production Testing – In addition to functional and efficiency testing, all security features of the application shall be tested.
10. Maintenance – All future application maintenance shall not compromise security controls already in place or introduce new vulnerabilities. Any new code shall be reviewed and tested as detailed above.

SOFTWARE DEVELOPMENT AND CODE REVIEW
1. Software applications shall be developed based on industry best practices and shall incorporate information security throughout the software development lifecycle.
2. Custom-built software and web code shall conform to PCC policies. If required, security features built into the software shall be developed in compliance with policy.
3. A process for performing code review for software that updates data shall be required prior to moving code into production.
4. There shall be separation of duties to ensure that developers are not responsible for testing applications and developers/testers are not responsible for introducing changes into the production environment.
5. Code reviews shall be performed by qualified staff other than the originating coder. Code reviews are required for new code and for code changes.
6. All web development and deployment shall be done in accordance with the most current Open Web Application Security Project (OWASP) guidelines.
7. The following vulnerabilities shall be considered during code review and testing phases:
– Cross-site scripting (XSS)
– Injection flaws, particularly SQL injection, LDAP and XPath
– Malicious file execution
– Insecure direct object references
– Cross-site registry forgery
– Information leakage and improper error handling
– Broken authentication and session management
– Insecure cryptographic storage
– Insecure communications
– Failure to restrict URL access

Exemptions

None

Exceptions

Exceptions to this policy must be pre-approved in writing by the Director of Application Services

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

Application
(aka Application Software) A computer program that is designed to perform a specific set of functions.

D2L is an application designed to support online learning. Microsoft Word is an application designed for word processing.

Code
Source Code (aka program code) is the set of instructions forming a computer program, so that the functions described can be executed by a computer. Source Code is written in a specific computer language – for example, C++, Java, Python, etc.

Machine Code is the actual code that is executed by the computer.

Source Code is translated into Machine Code by specialized software called a compiler or interpreter, so that the computer can execute it to perform its tasks.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

Cross-site Scripting (XSS)
A method of computer hacking that takes advantage of vulnerabilities in dynamically generated Web pages.

Cybercrime
Criminal activity or a crime that involves the Internet, a computer system, or computer technology.

Data Breach
Generally, an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.

Note: Although “breach” is a commonly used term in the information security community, legally, the term “breach” tends to only be used when a security event reaches the threshold of regulatory reporting. PCC legal council recommends using the terms “incident” or “compromise” until it can be determined whether an event satisfies the legal definition of a breach.

Hardware
The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Injection Flaw
A software vulnerability that can be exploited by hackers.

A class of security vulnerability that allows a user to “break out” of the web application context. If your web application takes user input and inserts that user input into a back-end database, shell command, or operating system call, your application may be susceptible to an injection flaw.

Lightweight Directory Access Protocol (LDAP)
A standard that is implemented by systems that manage electronic address and access requests (e.g. Active Directory).

A software protocol for enabling the location of organizations, individuals, and other resources (such as files and devices) on a network.

Network
(In IT) The technology that carries messages between one computer and another.

A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.

End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.

The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).

Open Web Application Security Project (OWASP )
An organization that provides unbiased and practical, cost-effective information about computer and Internet applications.

Production Environment (PROD)
The technology environment where software and other products are actually put into operation for their intended uses by end users.

This is a highly controlled and monitored environment and separate from the development, test, or other environments where software is not intended for production use.

SQL Injection
(In IT) A form of communication between computers in which information is commonly maintained for the duration of the transaction or session.

A stateful protocol requires keeping the internal state of the session on the server. A TCPconnection-oriented session is a ‘stateful’ connection because both systems maintain information about the session itself during its life.

Software
A set of instructions that tells a computer what to do.

Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.

Software Development Lifecycle (SDLC)
A process used by the software industry to design, develop, test, and deploy high quality software.

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

Third Party
(In Information Technology [IT]) A vendor. Can be applied to any vendor (“third party provider”), but mostly used regarding “vendor software” to distinguish it from software developed “in house.”

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

XPath
Part of the XML coding language.

A syntax for defining parts of an XML document. XPath uses path expressions to navigate in XML documents. XPath contains a library of standard functions.

Responsible Executive

Chief Information Officer

Responsible Officer

Director of Application Services

Responsible Office

IT Application Services Division

Last Revision Date

09-19-2019