Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys.

Slides:



Advertisements
Similar presentations
OWASP Mobile Top 10 Beau Woods
Advertisements

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Secure Lync mobile Authentication
Secure SharePoint mobile connectivity
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Security Testing Case Study 360logica Software Testing Services.
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Figures – Chapter 14. Figure 14.1 System layers where security may be compromised.
ArcGIS Server for Administrators
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
FriendFinder Location-aware social networking on mobile phones.
FriendFinder Location-aware social networking on mobile phones.
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
INTRODUCTION CHARLES MUIRURI
DISCUSSION LEADERS PRAVINA KOTA, KEVAN ESSMYER, NAVEEN KARDURI
ArcGIS for Server Security: Advanced
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.
Securing Information Systems
Web Programming Language
3 Do you monitor for unauthorized intrusion activity?
3.02H Publishing a Website 3.02 Develop webpages..
Stephanie Oppenheimer, MS SUCCESS Center Erica Ellington, CRA, CHRC
BEST CLOUD COMPUTING PLATFORM Skype : mukesh.k.bansal.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
Secure Sockets Layer (SSL)
Securing the Network Perimeter with ISA 2004
Basic Policy Overview Palo Alto.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Threat Management Gateway
How to Check if a site's connection is secure ?
9/14/2018 2:22 AM THR2026 Set up secure and efficient collaboration for your organization with Office 365 Joe Davies Senior Content Developer Brenda Carter.
Common Security Mistakes
Security of a Local Area Network
Introduction:. Vendor : Cisco Certifications : Next-Generation Firewall Express Security Engineer Exam Name : Cisco ASA Express Security Exam Code :
Prevent Costly Data Leaks from Microsoft Office 365
IS4550 Security Policies and Implementation
Intro to Ethical Hacking
The Application Lifecycle
Sioux Falls OWASP Jan-2018 Mobile Top 10
Securing Your Web Application and Database
How to Mitigate the Consequences What are the Countermeasures?
4.02 Develop web pages using various layouts and technologies.
AAA: A Survey and a Policy- Based Architecture and Framework
Luxury Images copyrighted to:
Engineering Secure Software
Intel Active Management Technology
Designing IIS Security (IIS – Internet Information Service)
For the MVHS Cyber Defense CLub
Fast-Track UiPath Developer Module 10: Sensitive Data Handling
INTERNET SECURITY.
Comodo Dome Data Protection
Presentation transcript:

Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys – An open discussion on cyber security as it pertains to REDCap. Discussion Leaders Brian Man and Kevan Essmyer

Why mess with a good thing? “This (REDCap) is great, but would it be possible to….?” “This is exactly what we want….do you think you could maybe….?” “We’ve got a guy who’ll write our API programs for us...don’t worry about it...” “Mobile app, cool!, all of our team members have phones….” “We need access to the database so we can generate the reports we need…” “It’s HTTPS, so we’re protected...”

Twilio Twilio supports the TLS cryptographic protocol. Clustered architecture reliable high availability service. "Fallback" URLs on incoming phone numbers SMS Low risk -- Secure URL links to REDCap surveys High Risk -- direct text question/response (Non-PHI only)

API Limit Token access Project Isolation Request overhead to limit number of tokens created Responsibility (IRB) Project Isolation API limited to individual project Token use tied to single user account SSL transport layer independent of API security Only effective if the client checks for certificate validation API limited functionality Controlled number of system access points Limited functions

Mobile App Mobile Top 10 2016 Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography Insecure Authorization Poor Code Quality Code Tampering Reverse Engineering Extraneous Functionality -- https://www.owasp.org (Low-ish Risk) Official Release -- REDCap Mobile App Source code tightly controlled Primarily API Developer and user tested Specialized token user rights (Moderate to High Risk) Locally Developed App API clients Monitor Server API Traffic Try to work as a partner if possible Allow access to test server for app testing Information Security Office ← Friends!!!

File Sharing features Risk Mitigate Risk Multiple users on system Unintended transfers of Protected Information (leak) Malware propagation Content is not scanned for malware before upload Host system vulnerability Mitigate Risk Disable Feature (Determined to be high risk, Redundant--site license for Box exists) Virus Scan storage directory Resilient host environment Limit file types

More? (Extra Features, plugins, and stuff) Plugins,hooks, “Special Reporting Scripts or Programs” Secure programming best practices Limit input options Filter free-text input prior to processing Security scans Detect vulnerabilities Standardize/revise best practice components Protected space Plugin access granted only after authentication Make use of “built in” system security container Isolate Abusive Access lockout access until user can explain cause and prove it has been addressed.

Discussion Break Who’s worried about security? (Am I doing enough?) Who’s had security issues? Who’s put off using a feature due concerns?

Risk Management “100% secure system --Chernobyl Method-- unplug the box and bury it under 100 tons of cement” Alternative Scheme: Sound workflow policy for using technology Best practices Monitoring Isolation - minimum amount of access necessary Routine security testing Regulatory review boards Data Breach Insurance personal note: Most data issues have been caused by users using regular features -KE