Any UC Berkeley application handling Protection Level 2 data, including California State Law "Notice-Triggering" information, must pass an annual application security assessment to remain in compliance with the UC Berkeley Minimum Security Standard for Electronic Information (MSSEI).
The Application Security Testing Program (ASTP) performs application security assessments for campus applications as required by MSSEI 6.2.
Assessment standards are designed to reduce security risk for the campus in a manner that is reasonable and attainable for Resource Custodians and Resource Proprietors.
An application security assessment is divided into the following ordered phases:
|Phase||Activities||Estimated Time Required|
|Application Security Testing||
Ongoing until issues are resolved, typically it is a fast process to verify fixes or mitigation
Test coverage may include, but is not limited to the following areas:
- Information Gathering & Reconnaissance
- Session Handling
- Access Controls & Authorization
- Data Input Validation
- Application Logic
- Application Hosting
- Web Services
- Desktop Client Software
- Thick and Thin client components
- Server Software
Web applications will be tested for each of the OWASP 2013 Top Ten Application Security Risks:
- Broken Authentication & Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
The risk of application security vulnerabilities discovered during an assessment will be rated according to a custom-tailored version the OWASP Risk Rating Methodology. Risk severity is determined based on the estimated technical and business impact of the vulnerability, and on the estimated likelihood of the vulnerability being exploited:
Below is a table summarizing factors by which a vulnerability may be classified. Please note that only the most common vulnerability characteristics are listed, and these ratings do not completely account for your application's environment:
Applications undergoing an assessment receive a Pass or Fail grade based on their ability to adequately secure Protection Level 2 data. A Fail grade is issued when an application contains vulnerabilities or exposures that when exploited, directly lead to a confidentiality breach of covered data.
The following vulnerabilities will result in an automatic Fail grade for any application:
- Any Critical or High risk vulnerabilities as rated by the ASTP. These vulnerabilities are deemed to have a high likelihood of being found and exploited, and a high business impact for the university.
- Multiple Medium or Low risk vulnerabilities that create a Critical or High risk when leveraged together by attackers.
Applications with a Fail grade must address all Critical and High risk vulnerabilities in a time frame agreed upon with Information Security and Policy. Timely remediation is a campus requirement for the system to remain in operation.
Applications that receive a Fail grade will be issued timeline requirements by which vulnerabilities must be fixed. Remediation due dates will be prioritized and issued by Information Security and Policy based on risk. The due dates are presented under the Action Plan section at the end of the final ASTP report.
When remediation is complete, vulnerabilities causing the original Fail grade will be re-tested by Information Security and Policy. If all pertinent vulnerabilities have been addressed, a Pass grade may be issued for the application.
If remediation due dates cannot be met or if there is a disagreement over the dates, Resource Proprietors and Resource Custodians of applications that receive a Fail grade may file an Exception Request with IT Policy asking for additional time to complete remediation.