Commercial Software Assessment Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling Institutional Information. The recommendations below are provided as additional guidance for meeting security requirements for application software.

Requirement

From MSSEI requirement 1.1 Security Planning:
Information security requirements must be identified and addressed prior to development or acquisition of systems or software, and during all phases of development, from initiation through implementation, and ongoing maintenance.

Description of Risk

Security vulnerabilities in application software allow data theft.

Recommendations

Whether software is developed in-house or procured from 3rd party vendors, MSSEI requires that Units ensure Institutional Information is secured and protected against breaches.  IT Resource Proprietors and Service Providers must evaluate commercial software against applicable security requirements prior to making purchase decisions to ensure it meets campus and applicable external requirements. The following recommendations are intended to provide guidance in identifying key areas to evaluate, though they don't attempt to touch on all MSSEI requirements and cannot address any applicable external requirements. 

1. Secure coding practices should be integrated into the software development lifecycle phases employed by software vendors' development team.  Example questions to ask include:
   • What processes are in place to ensure secure coding practices are integrated into SDLC?
   • How does vendor's development team address OWASP top 10 application security risks?
2. Commercial software should provide features and functions that comply with relevant MSSEI technical requirements. The following guidance provides additional clarification on common MSSEI technical requirements as they relate to vendor software security:
   1. 5.1 Separation of Accounts for Individuals. Commercial software must provide user management functionality to create application user accounts for each individual users.
   2. 5.4 Privileged Account Security. Commercial software must allow granular account security configuration to use strong authentication as defined in MSSEI 5.4.
   3. 5.7 Account Monitoring and Management. Commercial software must provide account management functionality that enables IT Resource Proprietors, Service Providers, and Units to protect all application accounts as defined in MSSEI 5.7.
   4. 5.8 Controlled access based on need to know. Commercial software must provide identity and access management functionality that enables IT Resource Proprietors to "at least annually review access permissions" as defined in MSSEI 5.8.
   5. 6.1 Encryption in transit. Commercial software must be able to utilize strong encrypted transmission protocols when sending data across the network.
   6. 6.2 Encryption at Rest.  Commercial software must allow for encryption of protected data residing on storage media either through native functionality or third party encryption tools.
   7. 12.3 Separation of System Resources.  Commercial software must accommodate infrastructure components such as operating system, databases and application services to be deployed across separate physical or virtual servers.
   8. 9.2 Continuous Vulnerability Assessment and Remediation. Software vendor should demonstrate a proven track record in responding timely to software vulnerabilities and releasing security patches on a schedule that corresponds to vulnerability risk level. For additional guidance on vulnerability management timeline, refer to MSSEI Guideline 4.1 - Continuous Vulnerability Assessment.
   9. 10.1, 10.2, 10.4 - Audit Logging and Retention. Commercial software must log and retain application events in compliance with MSSEI section 10 requirements.
   10. 12.2 Secure Software Configuration. Commercial software must allow for configuration settings to be set up securely as required by MSSEI 12.2.
   11. 12.3 Separation of System Resources. Commercial software must accommodate infrastructure components such as operating system, databases and application services to be deployed across separate physical or virtual servers. 
3. Some MSSEI requirements are less reliant on technical features of commercial software, and require operational processes to ensure compliance with the requirement.  IT Resource Proprietors and Service Providers should implement processes utilizing the vendor software to address non-technical MSSEI requirements.  An example is the Manage Installed Software requirement (MSSEI requirement 4.5), which should be met by developing a process to collect and manage software assets installed on covered devices.  
4. Where commercial software supports Single Sign-On authentication, it must support authentication protocols that comply with the CalNet terms of service.  If proxied CalNet authentication is chosen as Single Sign-On solution, resource proprietor and resource custodian must obtain an approval for the exception to proxy CalNet credentials per the Proxied CalNet Authentication Terms of Service.
5. Software vendor should provide a Software Obsolescence Policy that demonstrates willingness to support older version(s) of software and provide adequate lead time prior to dropping support for a major version of the software.  Support functions for older version(s) of software should include:
   • Software updates to address security vulnerabilities
   • Software updates to address functional design flaws
   • Technical support including configuration and installation
6. When web browsers are used to access covered systems, software vendors should demonstrate a willingness and track record to support (with full functionality) the two most recently released major browser versions for at least the following browsers on Mac and Windows PC:
   • Apple Safari (MacOS)
   • Google Chrome (MacOS and Windows)
   • Microsoft Internet Explorer (Windows)
   • Mozilla Firefox (MacOS and Windows)
7. Software vendor should be willing and able to provide the following set of documentation during the evaluation process:
   • Security architecture diagrams and documentation with details on security technologies employed such as IDS, IPS, WAF, and network firewall
   • Results of 3rd party security audits, vulnerability assessments, penetration tests and source code audits; results should include methodologies used, findings identified, and remediation plans
   • Documentation on APIs used by commercial software to exchange data with other software components
   • (Cloud Software Service) Documentation demonstrating compliance to industry best practices such as Cloud Security Alliance's CSA Cloud Controls Matrix

In addition to security requirements such as those noted above, contractual relationship with Suppliers (vendors) involving Supplier access to Institutioal Information or UC IT Resources must include information security terms required by MSSEI section 13 (13 - Supplier Relationships) and Procurement.