Policy for Application Development

Responsible Office
Technology Support Services


Staff developers

Purpose and Scope

This policy defines requirements for application development for all Abilene Christian University applications deployed on or off-campus. This applies to any applications technology purchased, obtained at no cost or developed in-house.


It is the responsibility of unit managers to follow application development standard policies. This policy focuses on application development standards and is intended to inform the applications development process and complement other Information Technology policies that must also be followed.  For the purpose of this policy, sensitive data is defined as information that is not intended to be public.

No changes to production environments should be made without explicit, documented approval from a supervisor.  This practice will help ensure that appropriate levels of testing, documentation and code reviews are completed before moving changes into a production environment.  Accommodations can and will be made for changes that need to be made on an emergency basis or that do not affect a production environment (i.e. reports or changes made to testing environments).


Valid Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates must be used for all sensitive information in transit between the client, server and other servers.  Production services that use TLS/SSL certificates must obtain them from a recognized Certificate Authority (CA)Applications using cryptography must use industry standard algorithms and implementations.

Authentication and Authorization

A single sign-on service using an identity store should be used to authenticate users from ACU and other constituencies.  Applications that process sensitive data must verify authorization for each request.

Data Validation

Applications must validate all data for expected values.
Applications must use server-side validation.
Applications that use data from another source must take steps to ensure the external data is trustworthy.
Web forms and interactive elements must use a secure token to verify the user intentionally initiated the request.
Applications must validate all data that is passed to interpreters, including Web browsers, database systems and command shells.
Applications must only send data and code to the browser that the user is authorized to see or use.

Session Management

Applications  must use HttpOnly cookies for cookies that contain sensitive data to ensure they are only sent over secure connections.
Applications must keep session times to the minimum duration necessary for operation.
Applications must have server-based disconnects.
Applications must use a secure session key/token to avoid sending 'hidden data' to the browser.

Change Control

Revisions to this policy must be reviewed and approved by the CIO Cabinet.

Notification Tree

The following individuals or offices should be notified prior to implementing changes to this policy: CIO Cabinet.

Effective Date: October 22, 2013

Expiration Date: None

Review Date: October 1, 2014

Policy Owner

Kay Reeves, Director Technology Support Services