The following security best practices must be considered and, if feasible, applied as a matter of the application’s security design:
Data handled and managed by the application must be classified in accordance with the Data Classification Policy (reference (a)).
If the application processes confidential information, a confidential record banner must be prominently displayed which highlights the type of confidential data being accessed (e.g., personally-identifiable information (PII), protected health information (PHI), etc.)
Sensitive data, especially data specifically restricted by law or policy (e.g., social security numbers, passwords, and credit card data) should not be displayed in plaintext.
Ensure that applications validate input properly and restrictively, allowing only those types of input that are known to be correct. Examples include, but are not limited to cross-site scripting, buffer overflow errors, and injection flaws.
Ensure that applications execute proper error handling so that errors will not provide detailed system information to an unprivileged user, deny service, impair security mechanisms, or crash the system.
Where possible, authorize access to applications by affiliation, membership or employment, rather than by individual. Provide an automated review of authorizations on a regular basis, where possible.
Ensure that applications encrypt data at rest and in transit.
Implement application logging to the extent practical. Retain logs of all users and access events for at least 14 days.
Qualified peers conduct security reviews of code for all new or significantly modified applications; particularly, those that affect the collection, use, and/or display of confidential data. Document all actions taken.
Implement a change management process for changes to existing software applications.
Standard configuration of the application must be documented.
Default passwords used within the application, such as for administrative control panels or integration with databases must be changed immediately upon installation.
Applications must require complex passwords in accordance with current security best practices (at least 8 characters in length, combination of alphanumeric upper/lowercase characters and symbols).
During development and testing, applications must not have access to live data.