Category: Information Technology
Responsible Office: Enterprise Application Services
Responsible Executive: Director of Enterprise Application Services
Date Established: September 24, 2025
This standard outlines the practices necessary for secure application development and administration at the University at Buffalo, ensuring the protection of its information technology resources.
The University at Buffalo (UB, university) is dedicated to ensuring that all applications produced and developed using community resources follow secure application development practices. This standard serves as a part of the university’s Information Security Program. Adherence to this standard will not only increase the security of applications but will also help safeguard UB’s information technology resources and assets.
Strong authentication mechanisms, such as multi-factor authentication (MFA) must be enabled to ensure proper authorization controls. Single sign-on (SSO) must be used wherever possible. All UB staff and students are assigned Duo accounts which must be used to access university systems requiring MFA. Application Programming Interface (API) keys, credentials and other confidential log-in information must be stored in a secure vault. Confidential information, such as stand-alone system-level credentials, must never be hardcoded into code. Note that this standard is an application specific requirement.
Permission to access university data is granted or revoked by UB Data Stewards. Access to data via direct database access or APIs that return university data must be granted by the appropriate Data Steward. It is considered best practice for access to be controlled by Lightweight Directory Access Protocol (LDAP) groups or granted to individuals with specific UB Affiliations.
Access controls to files, data, and applications must follow a roles-based model, such as Role-Based Access Control (RBAC) Best Practices or Mandatory Access Control (MAC). Once the most appropriate role-based model has been enabled, Data Stewards must assume that threats can originate from both inside and outside the network. They must ensure that individuals with access are provided with the least-necessary privileges.
Periodic reviews of user roles and permissions must be conducted to ensure they remain appropriate. Access control policies, outlining how access is granted, reviewed, and revoked, must be developed, documented, and communicated to all users. Well-defined access control roles must be established based on job functions and responsibilities, granting users the minimum level of access necessary for their roles. Access for users whose roles have changed must be removed or adjusted, and critical tasks must be separated among multiple roles to prevent conflicts of interest and reduce the risk of fraud or error.
Secure coding practices are essential to preventing common system vulnerabilities. Individuals must implement input validation to prevent SQL injection, Cross Site Scripting (XSS), and other attacks; minimizing the system's attack surface is crucial.
The timely and consistent application of vendor-supplied security patches or mitigation of a reported vulnerability, in accordance with the Software Patch Scheduling Standard, are critical components in protecting the campus network, systems, and data from damage or loss due to threats such as worms, viruses, data loss, or other types of external or internal attacks.
All 3rd party components and libraries included within the application must also be monitored and updated regularly to patch vulnerabilities.
Encryption must adhere to applicable SUNY, state, and federal regulations.
Use Secure Protocols:
Use trusted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates to authenticate servers and optionally authenticate clients. Establish encrypted communication channels using protocols such as HTTPS, FTPS, or database-specific implementations of TLS.
Data at rest includes files on hard drives, databases, or cloud archives. When encrypting data at rest individuals must ensure the following criteria are met:
Disk-Level Encryption
Database-Level Encryption
Field-Level Encryption
Key Management
Secure Backups
Flat Files
Safe code is always tested and scanned for vulnerabilities prior to deployment. There are many free and open-source options available for secure image scanning. Additionally, a high-quality scanning tool will indicate if the code references old or outdated packages.
All software applications deployed within the organization must be configured to minimize network exposure. Applications should only be accessible over the network by authorized users and systems with a legitimate business need. Wherever feasible, applications must be isolated from the public internet and protected using appropriate network access control mechanisms.
This application standard follows university data retention and disposal policies.
Additionally, processes for data retention, archival, and secure deletion must be implemented. Sensitive data must be masked in non-production environments to protect it from unauthorized access.
Web server logs for network resources such as APIs, database connections, or web applications can identify who, what, when, and how a resource was accessed. Logs must be collected and monitored for ongoing security-related events and as part of regular business routines. Implement centralized log aggregation and have automated notifications set up for specific events that indicate a security threat. Retain audit logs for forensic investigation and manage them in compliance with the Data Retention and Disposition Policy.
Error messages must not provide detailed system information. Errors within the application must be handled appropriately to ensure they do not deny service, impair security mechanisms, or cause the system to crash. Peer code reviews must be performed to ensure secure coding practices have been followed. Such reviews identify vulnerabilities, enforce best practices, and maintain code quality.
Development teams must use a version control system to enhance security by maintaining a history of changes, enabling audit trails, enforcing access controls, and reducing the risk of unauthorized modifications. Role-based permissions, encryption, and commit verification must be enabled to protect sensitive code and prevent tampering.
Applications must be hosted on a service that is fully supported, patched and maintained. It is highly recommended that applications be hosted within the VPCIO provided and supported CaaS OpenShift environment. If a 3rd party provider is being used, the service must clear the university’s purchasing compliance process prior to purchase or installation.
The system administrator for on-premises (on-prem) systems must ensure the system follows the UB Minimum Server Security and Hardening Standards policy. If the application contains Category 1 or Category 2 university data, the system must strictly follow UBIT’s disaster recovery standards.
When using AI technology individuals should not enter Category 1 or Category 2 data, including non-public research data into AI tools of which the university has not entered into a contract with.
This standard has been developed to ensure that applications utilizing university data are hosted, maintained, and operated in a manner that complies with the university’s security policies and legal and regulatory requirements. UB aims to mitigate risks, enhance data security, and protect its data assets from unauthorized access and breaches.
This standard applies to all software and web applications including mobile applications, irrespective of the application developer or the device used for programming, which runs on physical or virtual hosts, including third-party cloud or datacenter hosts, which utilizes university data. Depending on the classification of data involved, some aspects of this standard may be required or recommended. Prior authorization from the CISO is required prior to building systems which utilize Category 1 university data.
This standard applies to all faculty, staff, student employees, contractors, and vendors who develop or administer applications making use of university data. Compliance with this standard is mandatory. Individuals must understand their roles and responsibilities regarding information security and protecting UB’s data assets. The failure to comply with this or any other information security program policy that results in the compromise of university data confidentiality, integrity, privacy, and/or availability may result in appropriate action as permitted by law, rule, regulation or negotiated agreement.
Application Programming Interface (API): A type of software interface, offering a service to other pieces of software.
Authentication: The process of verifying the identity of a user, system, or application before granting access to resources.
Authorization: The process of determining whether a user, system, or application has the necessary permissions to access a resource or perform a specific action.
Database Management System (DBMS): A software system designed to manage and organize data in a structured manner. It allows users to create, modify, and query a database, as well as manage the security and access controls for that database. DBMS provides an environment to store and retrieve data in a convenient and efficient manner
Lightweight Directory Access Protocol (LDAP): An open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Mandatory Access Control (MAC): Categorizes both subjects (user identities) and objects (files and data) with multiple levels of classification (labels). Ex: Bell-LaPadula Model
Secure Vault: Highly secure storage solution designed to protect and manage sensitive data and digital assets. These vaults employ advanced encryption and authentication measures to ensure that only authorized individuals can access the stored information.
Key Rotation: A security practice used to enhance the safety of encrypted data in a network or system. It involves changing the cryptographic keys that secure data at regular intervals. These cryptographic keys are special codes that encrypt (scramble) and decrypt (unscramble) information, ensuring that only authorized parties can understand the data being transmitted or stored.
Role-Based Access Control (RBAC): Access control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.
Software and application developers and administrators, along with those involved in the management or supervision of such, are responsible for ensuring compliance with these standards.
Enterprise Application Services