Secure development of applications requires familiarity with best practices which provide protection of data and prevent exposure of the application to unauthorized access. The highest appropriate levels of security should be built into any application whether it be developed internally to UTSA or purchased.


This standard supports HOP Policy 8-12 Information Resources Use and Security Policy.


This standard applies to all UTSA faculty, staff, and students.


The Office of Information Security


  1. The standard practices outlined here represent the minimum requirements for the
    security of UTSA software.

    1. All production systems and applications must follow the Information Technology
      Standards for granting access to the system.
    2. All confidential information within an application under development must be
      identified and documented.
    3. Applications running on systems with confidential data must provide safeguards
      to protect the data from exposure.
    4. The transfer of such data requires encryption.
    5. During the development of an application the data owner(s), data custodian(s) and
      system administrator(s) must be identified.
    6. Developers must ensure that applications validate input, execute proper error
      handling, and properly authenticate users through identity management
    7. Information security, security testing, and audit controls must be included in all
      phases of the system development lifecycle or acquisition processing.
    8. Copies of production data shall not be used for testing, unless the data have been
      authorized for public release or unless all custodians involved in testing are
      otherwise authorized to access the data.
  2. All security-related information resources changes shall be approved by the data
    owner through a change control process.

OIS 3 – Standard for Application Development and Acquisition
Effective Date: January 1, 2012
Last Revised: August 4, 2020