Application Code Review Standard

Purpose

This standard defines the responsibilities of the developers and of Web Services regarding the review of code prior to deployment to production servers.

Brief Description

It is the responsibility of all staff involved in the production of web applications to ensure the safety, integrity, and security of University resources. As such, ensuring that code is free of known vulnerabilities is essential. Developers should always complete a code review of their web applications prior to deploying them to production. It is recommended that vulnerability scans be performed by developers as part of the code review process.

Details

All application content that is to be deployed to production should go through a code review. Code reviews are the sole responsibility of the application developers and will not be performed by Web Services on their behalf.

Automated vulnerability scanning is made available to developers by Purdue Systems Security (PSS) and can be an important part of the code review process. Whenever possible, vulnerability scans should be conducted against the QA tier. Web Services will assist developers with scheduling scans and results analysis upon request. When the scan identifies issues outside of developer control, Web Services will assist with vulnerability mitigation. No automated vulnerability scan is guaranteed to identify all issues and may flag issues that do not actually exist. For these reasons, a manual application code review is always needed. Certain situations, such as sites with no application code, may not warrant a vulnerability scan.

Vulnerability scans are required on a yearly basis for all applications that meet the following requirements:

  1. The application is known to process and/or access restricted data or has elevated access to other critical systems.
  2. The application has not had a vulnerability scan in the last year for other reasons.