Common use of Secure Coding Practices Clause in Contracts

Secure Coding Practices. The following are additional secure coding practices that must be implemented as applicable: a. User inputs and other parameters (URL, Form) must ALL be validated at both Interface and Business tiers for data type, allowed character set, numeric range, enumerated legal values. Special characters, such as those used for cross site scripting attack (XSS) and SQL injection must be stripped or otherwise rendered harmless. b. All reasonable steps must be taken to prevent browser caching of Sensitive Information. c. Repeated failed logins must be logged and generate alerts. d. Passwords and other Confidential Information must be stored in encrypted format, and the encryption key strongly protected. e. Logins and other parts of user sessions where Confidential Information is transmitted must utilize strong SSL encryption. f. If located in different data centers, back-end connections between the web application and database must be strongly encrypted. g. Sensitive Information or information that could be manipulated and result in information discovery must never be unencrypted in a cookie, form field or URL parameter. h. Every application component must thoroughly be wrapped in error-trapping code so that Confidential Information is never displayed to the end-user. i. Passwords should be changed and updated every 90 days to enforce security.

Secure Coding Practices. The following are additional secure coding practices that must be implemented as applicable: a. User inputs and other parameters (URL, Form) must ALL be validated at both Interface and Business tiers for data type, allowed character set, numeric range, enumerated legal values. Special characters, such as those used for cross site scripting attack (XSS) and SQL injection must be stripped or otherwise rendered harmless. b. All reasonable steps must be taken to prevent browser caching of Sensitive Information. c. Repeated failed logins must be logged and generate alerts. d. Passwords and other Confidential Information must be stored in encrypted format, and the encryption key strongly protected. e. Logins and other parts of user sessions where Confidential Information is transmitted must utilize strong SSL encryption. f. If located in different data centers, back-back end connections between the web application and database must be strongly encrypted. g. Sensitive Information or information that could be manipulated and result in information discovery must never be unencrypted in a cookie, form field or URL parameter. h. Every application component must thoroughly be wrapped in error-trapping code so that Confidential Information is never displayed to the end-user. i. Passwords should be changed and updated every 90 days to enforce security.