SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS

Similar documents
NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

PASSWORD MANAGEMENT POLICY OCIO TABLE OF CONTENTS

Magento Security and Vulnerabilities. Roman Stepanov

Check list for web developers

Web Application Security

Penetration Test Report

Application security testing: Protecting your application and data

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Hack Proof Your Webapps

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Network Threats and Vulnerabilities. Ed Crowley

Last update: February 23, 2004

What is Web Security? Motivation

The Top Web Application Attacks: Are you vulnerable?

White Paper. Understanding NIST FISMA Requirements

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Sitefinity Security and Best Practices

Where every interaction matters.

WEB ATTACKS AND COUNTERMEASURES

Cross-Site Scripting

Annex B - Content Management System (CMS) Qualifying Procedure

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

External Supplier Control Requirements

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Web Application Security Assessment and Vulnerability Mitigation Tests

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Information Technology Policy

Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?

How To Protect A Web Application From Attack From A Trusted Environment

Security features of ZK Framework

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

elearning for Secure Application Development

Web Application Security

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Web Application Report

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Application Firewall Overview. Published: February 2007 For the latest information, please see

Web Application Penetration Testing

Common Security Vulnerabilities in Online Payment Systems

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Cross Site Scripting Prevention

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Web Application Security

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Attack Vector Detail Report Atlassian

SQuAD: Application Security Testing

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Exploits: XSS, SQLI, Buffer Overflow

WEB 2.0 AND SECURITY

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Guidelines for Web applications protection with dedicated Web Application Firewall

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Cross Site Scripting in Joomla Acajoom Component

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

IBM Protocol Analysis Module

OWASP Top Ten Tools and Tactics

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Organizations Should Implement Web Application Security Scanning

Developing ASP.NET MVC 4 Web Applications MOC 20486

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

(WAPT) Web Application Penetration Testing

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Network Security Audit. Vulnerability Assessment (VA)

A Tale of the Weaknesses of Current Client-side XSS Filtering

The Prevalence of Flash Vulnerabilities on the Web

Webapps Vulnerability Report

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Keyword: Cloud computing, service model, deployment model, network layer security.

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

5 Simple Steps to Secure Database Development

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS

Web Application Guidelines

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Practical Exploitation Using A Malicious Service Set Identifier (SSID)

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Microsoft Office Communicator Web Access Security Guide

Transcription:

OFFICE OF THE CHIEF INFORMATION OFFICER OCIO-6013-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES VII. EXCEPTIONS VIII. REFERENCES IX. EFFECT ON OTHER POLICIES I. PURPOSE This document establishes policy within the United States Patent and Trademark Office (USPTO) requiring the use of Secure Application Development Code standards and guidelines. This policy establishes minimum practices to ensure secure code is developed and implemented on all USPTO IT systems. The scope and role of IT security has changed due to technology advancements over the years. Until recently, the IT security focus has been on securing the network layer perimeter. Intrusions and exploits have turned their focus away from network perimeter towards application code through the Web. These attacks are transparent to both network firewalls and Intrusion Detection Systems and as a result, malicious code can move through networks. Web application design and coding defects have been identified as the root cause of 85% of all security vulnerabilities. Developers must considered security a part of their common coding practices. This policy intends to change the present practice, provide awareness and ensure security is established when developing code. These top 5 most common vulnerabilities are a direct result of inadequate secure coding practices: Cross-Site Scripting SQL Injection Secure Application Development Coding Policy Version 1.3.5 1

II. HTTP Response Splitting Content Spoofing Information Leakage AUTHORITY This policy is issued pursuant to: III. The Federal Information Management Security Act of 2002 (FISMA). USPTO IT Security Policy Management Policy. SCOPE The provisions of this policy apply to all USPTO employees and all contractor employees providing support services to USPTO and trusted contractor sites that process USPTO data. This policy s purpose is to reduce: IV. 1. The likelihood the malicious code will be inserted in software. 2. The impact of malicious code that is already present in deployed software. DEFINITIONS Cross-Site Scripting (XSS): a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued. 1 SQL Injection: A technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. 2 HTTP Response Splitting: An attacker's ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response. This type of vulnerability can be exploited to perform several web application based attacks. HTTP Response splitting is a web application vulnerability that can be used for the purposes of allowing the user execution of HTML or Java script code which can then lead to the hijacking of the user's cookie or session. They even allow JavaScript code execution and may be used to exploit other vulnerabilities in browsers with more anonymity. 1 http://en.wikipedia.org/wiki/cross-site_scripting 2 http://en.wikipedia.org/wiki/sql_injection Secure Application Development Coding Policy Version 1.3.5 2

Content Spoofing: An attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. Some web pages are served using dynamically built HTML content sources. When the resulting web page is served, the browser location bar visibly remains under the user expected domain, but the foreign data is shrouded by legitimate content. Specially crafted links can be sent to a user via e-mail, instant messages, left on bulletin board postings, or forced upon users by a Cross-site Scripting attack. If an attacker gets a user to visit a web page designated by their malicious URL, the user will believe he is viewing authentic content from one location when he is not. 3 Information Leakage: When a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system. Sensitive information may be present within HTML comments, error messages, source code, or simply left in plain sight. There are many ways a web site can be coaxed into revealing this type of information. While leakage does not necessarily represent a breach in security, it does give an attacker useful guidance for future exploitation. Leakage of sensitive information may carry various levels of risk and should be limited whenever possible. 4 V. POLICY A. General Policy The adherence to and use of Secure Application Development Coding Policy is a requirement for all software development on USPTO information technology systems and trusted contractor sites processing USPTO data. Development of code shall be checked and validated with the most current versions of USPTO Coding Standards for Secure Application Development. All code developers shall verify that their code is in compliance with the most recent and approved coding standards and guidelines. Only validated code shall be implemented into the USPTO production environment. A review and validation ensures that code exhibits fundamental security properties to include correctness, predictability, and attack tolerance Application Code Developers shall: 1. Ensure code meets the level of confidence that software is free from exploitable code vulnerabilities, regardless of whether they are already designed into the software or inserted later in its life cycle. 2. Ensure code provides predictable execution or justifiable confidence and that the software, when executed, will provide security functionality as intended. 3. Never trust incoming data to the system, apply checks to this data. 3 http://www.webappsec.org/projects/threat/classes/content_spoofing.shtml 4 http://www.webappsec.org/projects/threat/classes/information_leakage.shtml Secure Application Development Coding Policy Version 1.3.5 3

VI. 4. Never rely on the client to store sensitive data no matter how trivial. 5. Disable Error messages that return any information to the user. 6. Use object inheritance, encapsulation, and polymorphism wherever possible. 7. Use environment variables prudently and always check boundaries and buffers. 8. Applications must validate input to ensure it is well-formed and meaningful. RESPONSIBILITIES IT Security Management Group (ITSMG) shall: Ensure communication of this policy to all USPTO employees and contractor employees. Maintain and review this policy at least annually. All USPTO employees and contractors shall: Adhere to this policy and shall not engage in any activity that might circumvent its provisions. VII. EXCEPTIONS Additional exceptions to this policy shall be determined on a case-by-case basis using the waiver process as defined in the USPTO IT Security Handbook. VIII. REFERENCES E-Government Act (Public Law 107-347), Title III - Federal Information Security Management Act (FISMA), December 2002. Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, February 2004. Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Revised November 2000. OMB M-03-22 Guidance for implementing the Privacy Provisions of the E-Government Act of 2002 OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 2006. OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June 2006. Secure Application Development Coding Policy Version 1.3.5 4

OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost,for Security in Agency Information Technology Investments, July 2006. OMB Memorandum M-07-16, Safiguarding Against and Responding to the Breach of Personally Identifiable Information, May 2007 The Privacy Act of 1974,5 U.S.C. 5552a U.S. Department of Commerce, IT Privacy Policy. U.S. Department of Commerce, IT Security Program Policy and Minimum Implementation Standards, June 30,2005. U.S. Patent and Trademark Office, Agency Administrative Order 212-4, USPTOIT Security Handbook. U.S. Patent and Trademark Office, IT Privacy Policy. U.S. Patent and Trademark Office, Rules of the Road. U.S. Patent and Trademark Office, Comprehensive Records Schedule. IX. EFFECT ON OTHER POLICIES This policy affects all new, revised, or retired policies issued in Fiscal Year 2009. ISSUED BY: chi& l$p&tion officer United tates Patent and Trademark Office OFFICE OF PRIMARY INTEREST: IT Security Management Group Secure Application Development Coding Policy Version 1.3.5 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information