Difference between revisions of "Web Application Security"

From UFRC
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
Back to [[Web_Application_Hosting]]
 
Back to [[Web_Application_Hosting]]
  
=Introduction=
+
=Security Practices=
All web applications developed and running on the PUBAPPS web hosting infrastructure must adhere to the [https://owasp.org/www-project-web-security-testing-guide/ OWASP web security testing guidelines] summarized in the [https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/stable-en/02-checklist/05-checklist.html OWASP Checklist] and especially the [https://owasp.org/www-project-top-ten/ top ten vulnerabilities]. It is the responsibility of a project using PUBAPPS to follow the OWASP guidelines. All web applications are subject to security scanning by UFIT Security and a takedown (immediate to delayed depending on the severity of the issue) with appropriate notification of the project group's sponsor.
+
All web applications developed and running on the PUBAPPS web hosting infrastructure must adhere to good web application security practices. The most prominent source of such practices/guidelines is [https://owasp.org/www-project-web-security-testing-guide/ OWASP web security testing guidelines]. It's a long testing guide, which is also summarized in the [https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/stable-en/02-checklist/05-checklist.html OWASP Checklist]. The most important points are listed in the [https://owasp.org/www-project-top-ten/ top ten vulnerabilities]. It is the responsibility of a project using PUBAPPS to follow the OWASP guidelines. All web applications are subject to security scanning by UFIT Security and a takedown (immediate to delayed depending on the severity of the issue) with appropriate notification of the project group's sponsor.
  
 +
=Application Maintenance=
 
All web applications developed and running in pubapps require maintenance because security requirements are not static and the necessary security updates may necessitate either of  
 
All web applications developed and running in pubapps require maintenance because security requirements are not static and the necessary security updates may necessitate either of  
  
* updating application code if a vulnerability is discovered in a pubapps application.
+
* updating application code if a vulnerability is discovered in an application hosted in PUBAPPS.
* updating the framework an application is using if a vulnerability is discovered in the framework version used by a pubapps application.
+
* updating the framework an application is using if a vulnerability is discovered in the framework version used by a PUBAPPS application.
* Updating application code if the system package(s) were upgraded in the normal course of system maintenance whether due to a security vulnerability in the package or because of a dependency.
+
* Updating application code if the application is no longer functional because its dependencies or system package(s) were upgraded due to a security vulnerability.
  
It is the responsibility of a project hosting application(s) no PUBAPPS to update their application code and or dependencies in response to security vulnerabilities. All applications that are not updated within the timeframe stated in the notification are subject to a takedown.
+
It is the responsibility of a project hosting application(s) no PUBAPPS to update their application code and or dependencies in response to security vulnerabilities. All applications that are not updated within the timeframe stated in the notification are subject to a takedown. UFIT Research Computing is not responsible for applications that become non-functional because they weren't updated in response to security updates in their dependencies or system packages. Containerized applications are responsible for updating application dependencies and system packages inside the containers orchestrated for the application.
 +
 
 +
When major operating system (Red Hat Enterprise Linux) release upgrades are planned on HiPerGator groups with PUBAPPS projects will be notified and provided a development environment to test and implement updates to the application code and dependencies to enable the applications to run on the new operating system releases.
  
 
Please contact [https://support.rc.ufl.edu UFIT RC Support]] if you have any questions or concerns in regards to application(s) hosted in PUBAPPS.
 
Please contact [https://support.rc.ufl.edu UFIT RC Support]] if you have any questions or concerns in regards to application(s) hosted in PUBAPPS.

Latest revision as of 19:10, 18 July 2024

Back to Web_Application_Hosting

Security Practices

All web applications developed and running on the PUBAPPS web hosting infrastructure must adhere to good web application security practices. The most prominent source of such practices/guidelines is OWASP web security testing guidelines. It's a long testing guide, which is also summarized in the OWASP Checklist. The most important points are listed in the top ten vulnerabilities. It is the responsibility of a project using PUBAPPS to follow the OWASP guidelines. All web applications are subject to security scanning by UFIT Security and a takedown (immediate to delayed depending on the severity of the issue) with appropriate notification of the project group's sponsor.

Application Maintenance

All web applications developed and running in pubapps require maintenance because security requirements are not static and the necessary security updates may necessitate either of

  • updating application code if a vulnerability is discovered in an application hosted in PUBAPPS.
  • updating the framework an application is using if a vulnerability is discovered in the framework version used by a PUBAPPS application.
  • Updating application code if the application is no longer functional because its dependencies or system package(s) were upgraded due to a security vulnerability.

It is the responsibility of a project hosting application(s) no PUBAPPS to update their application code and or dependencies in response to security vulnerabilities. All applications that are not updated within the timeframe stated in the notification are subject to a takedown. UFIT Research Computing is not responsible for applications that become non-functional because they weren't updated in response to security updates in their dependencies or system packages. Containerized applications are responsible for updating application dependencies and system packages inside the containers orchestrated for the application.

When major operating system (Red Hat Enterprise Linux) release upgrades are planned on HiPerGator groups with PUBAPPS projects will be notified and provided a development environment to test and implement updates to the application code and dependencies to enable the applications to run on the new operating system releases.

Please contact UFIT RC Support] if you have any questions or concerns in regards to application(s) hosted in PUBAPPS.