Information Security Standards
- Web applications will be secured from "SQL Injection Attacks" where the attacker enters SQL commands into Web form input fields or URL query strings to try to manipulate the SQL statement being sent to and from the database. The following methods to avoid SQL injection attacks will be used:
- Use of parameterized queries or stored procedures to access a database as opposed to using string concatenation
- Limit the amount of characters in Web form input fields and URL query strings to a proper amount
- Validate text input and URL query strings for improper characters (e.g. apostrophe, dash)
- Display user-friendly error page when an application error occurs. Do not display errors to the user that could be used to determine software, framework, and database names and versions or display actual source code
Data Transmission Security
When confidential or sensitive data is passed between the end-user and the Web server, the HTTPS (Employing currently approved National Institute of Standards and Technology (NIST) TLS versions) protocol will be used. HTTPS provides server authentication, data encryption ("over the wire"), and data transmission integrity. The digital certificate used on the Web server will need to be "trusted" by the Web browsers listed on the CDE’s Minimum Web Browser Requirement Web page. An HTTPS security test will also be performed by the CDE Information Security Office (ISO) against HTTPS Web sites, which must result in a passing letter grade for the Web site to be approved.
End-to-end encryption, utilizing currently approved NIST ciphers and key lengths, shall be used to protect confidential, sensitive, or personal information that is transmitted or accessed outside the secure internal network (e.g., e-mail, remote access, file transfer, Internet/Web site communication tools) of the CDE, or stored on portable hard drives), mobile computing devices (e.g., laptops, netbooks, tablets, and smartphones), and other mobile electronic devices.
- Web applications will follow the principle of least privilege (POLP) to access database objects (i.e. tables, views, stored procedures). For example, if the Web application needs read-only access to a specific database table, the database permissions will be set accordingly as opposed to giving the Web application "admin or owner" rights to the entire database.
- Individual database fields storing confidential or sensitive data (e.g. passwords, Social Security number) must be stored using CDE approved encryption techniques.
Passwords whether created by application developers, administrators, or users must be validated to meet all of the following parameters:
- Be at least eight characters in length
- Not use any of the previous 10 passwords
- Not be older than 90 days
- Result in an account lockout after 5 invalid logon attempts
- Not be the same as the logon or user name
- Contain characters from three of the following four categories:
- At least one uppercase letter (A though Z)
- At least one lowercase letter (a through z)
- At least one number (0 through 9)
- At least one special character (!, @, #, $, ^, &, *, -, =, _, +, ?)
Cloud Security Requirements
If CDE data will be maintained by a Cloud Service Provider (CSP), the following criteria must be met:
- The CSP must have FedRAMP authorization
- CDE data must reside within the continental United States and remote access to CDE data is prohibited from outside the continental United States
- The CSP must not comingle CDE data with other CSP customers’ data (CDE data must be maintained in a database containing only CDE data)
- CDE data must be encrypted at rest and in transit utilizing currently approved NIST ciphers and key lengths
- The CDE must be able to move its data out of the current CSP to CDE or another CSP