All applications that wish to consume an API through the Campus API Gateway will be required to go through periodic Application Security reviews. The purpose of the reviews is to ...
- Ensure applications are securely storing protected information (API Keys and Secrets).
- Ensure data is being stored security and used within the expectations of the data owners Terms of Use.
- Ensure best practices are being followed when appropriate.
- Ensure the data is still needed as systems change or become deprecated.
Security Review Process
- Upon the first request for access to an API the Campus API Gateway Team will request some information about the application to be reviewed. This is generally in the form of an Application Approval Request. The application approval request will collect information about what the application owner needs and make it available for the data owner to review and provide feedback upon.
- At this time the Campus API Gateway Team and the data providers IT Team will also review the Application Approval Request and determine if further review of the application is required.
- If the application is going to consume protected information then a code review will most likely be requested by a Campus API Gateway Team member.
- This should only be required on the first application submitted for a development team. Further applications developed by that same team shouldn't require additional unless the new application is going to consume highly sensitive information or is going to provide data in a manner that contains significant risk (like a mobile application).
- The code reviewer(s) will ask for access to the source code of the application and time to review the application before determining the next steps.
- Most applications should be following best practices and should be given approval to access the Campus API Gateway (once the data owners approve of the usage).
- Howerver, given the nature of the application and what is found in the review next steps will be determined based in order to ensure the application developers are using the data as intended and the assure the data owners that potential risks are being mitigated or resolved.
Recurring Security Review
- Most applications should have an annual review to ensure that the applications are still keeping up with best practices and they are still using the data they are being provided.
- However, depending on the nature of the application the review may occur more frequently.