Government Standard on Information & Communication Technology odg/ 14 Security



Download 214.17 Kb.
Page1/7
Date29.07.2017
Size214.17 Kb.
#24234
  1   2   3   4   5   6   7





Government Standard on Information & Communication Technology

ODG/S4.14

Security

Web Application Security Standards

Confidentiality: Public

Version: 1.2



Government Standard on Information & Communication Technology

This policy or standard is intended for use by South Australian Government agencies only. Reliance upon this policy or standard by any other person is entirely at their own risk and the Crown in the right of South Australia disclaims all responsibility or liability to the extent permissible by law for any such reliance.




Table of Contents



1.Purpose 4

2.Context 4

1.1 Background 4



3.Scope 5

1.2 Scope Inclusions 5

1.3 Scope Exclusions 5

4.Terms, Abbreviations and Conventions 6

1.4 Terms and Abbreviations 6

1.5 Conventions 6

5.Standards 7

5.1 Requirements Analysis 7

5.2 Design 8

5.3 Development 9

5.4 Outsourced Development 9

5.5 Testing 10

5.6 Implementation 11

5.7 Hosting 11

5.8 Operations and Maintenance 12

5.9 Protection of Source Code 13



6.Implementation 14

1.6 Implementation Considerations 14

1.7 Exemptions 14

1.8 Responsibilities 14



7.References & Links 15

1.Appendix A – Web Application Coding Checklist 17

1.9 Input Validation 17

1.10 Output Validation 18

1.11 Authentication and Identity Management 18

1.12 Access Controls 19

1.13 Cookies & Session Management 20

1.14 File Management 20

1.15 Logging and Auditing 21

1.16 Error Handling 21



  1. Purpose


The purpose of these standards is to secure the web presence and information assets of the Government of South Australia.

The objectives of these standards are to ensure that:



  • The implementation or modification of web applications does not lead to the introduction of insecure code which may compromise the confidentiality or integrity of agency information assets

  • Baseline web application security controls are implemented to safeguard against unauthorised modification of web content and/or agency information assets

  • Software development and procurement processes incorporate adequate security so as to prevent adverse impact to agency information technology infrastructure, or the information assets housed within that infrastructure

  • Web applications that capture, store and process personal details consider the requirements of the Government of South Australia’s Information Privacy Principles

  • Security requirements are considered in outsourced web development arrangements to ensure agencies are protected

  • A whole of Government approach for developing and procuring secure web applications is established.

These standards are written to support the implementation of the AS/NZS ISO/IEC 27002 standard and the Government of South Australia Information Security Management Framework (ISMF) versions 3.0 and later.

  1. Context

1.1Background


The Government of South Australia has a large number of web applications that provide critical services to public and internal agency stakeholders. These web applications are developed by internal agency staff, and by external parties. Commercial off the shelf software is typically procured via existing agency processes. These web applications provide static or dynamic content for internal and external users.

Security requirements must be considered in all stages of the web development and procurement to ensure that effective security outcomes are achieved, leading to overall risk reduction to agencies.



This standard is intended to be independent of specific application development platforms or commercial applications and therefore does not define platform  or vendor specific requirements.
  1. Scope

1.2Scope Inclusions


These standards apply to all web applications1 used for SA Government business. This extends to:

  • all bespoke, customised, and off-the-shelf web applications that require additional customised enhancements, including content management systems

  • web based applications hosted by external providers (off-Net)

  • all internal and public facing web applications hosted within StateNet (on-Net)

  • web applications developed to be accessed from mobile devices including tablets and smartphones.



1.3Scope Exclusions


These standards do not apply to non-web based software applications (e.g. desktop applications and operating systems).
  1. Terms, Abbreviations and Conventions

1.4Terms and Abbreviations


Public facing Web content that is accessible by the general public from the Internet.

SDLC Systems Development Lifecycle

ISMF Information Security Management Framework

PCI DSS Payment Card Industry Data Security Standard

OWASP Open Web Application Security Project

ITSA Information Technology Security Advisor


Download 214.17 Kb.

Share with your friends:
  1   2   3   4   5   6   7




The database is protected by copyright ©ininet.org 2024
send message

    Main page