Securing Your Web Application and Database

Slides:



Advertisements
Similar presentations
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Advertisements

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Data Classification & Privacy Inventory Workshop
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Security Controls – What Works
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
University of California, Irvine TechnoExpo, September Security Awareness for Web Developers Katya Sadovsky Administrative Computing.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Website Hardening HUIT IT Security | Sep
OWASP Mobile Top 10 Why They Matter and What We Can Do
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Information Security Update CTC 18 March 2015 Julianne Tolson.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Compliance Strategies for Records Management
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Roles and Responsibilities
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.
CU – Boulder Security Incidents Jon Giltner. Our Challenge.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.
Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair.
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!
Performing Risk Analysis and Testing: Outsource or In-house
Strategies in the Game of
PCard Sensitive and Protected Information Procedures
WSU IT Risk Assessment Process
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Security Standard: “reasonable security”
CMIT100 Chapter 15 - Information.
Secure Software Confidentiality Integrity Data Security Authentication
Data Security Policies
COMPTIA CAS-003 Dumps VCE
CIS 333Competitive Success/tutorialrank.com
CompTIA CAS-003 Exam Study Material - CompTIA CAS-003 Exam Dumps Realexamdumps.com
CIS 333 RANK Lessons in Excellence-- cis333rank.com.
CIS 333 Education for Service-- tutorialrank.com.
CIS 333 RANK Education for Service-- cis333rank.com.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
General Counsel and Chief Privacy Officer
Red Flags Rule An Introduction County College of Morris
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Defense in Depth Web Server Custom HTTP Handler Input Validation
IS4680 Security Auditing for Compliance
IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC
CompTIA Security+ Study Guide (SY0-401)
Keeping Member Data Safe
Information Security Awareness
Lecture 2 - SQL Injection
IS4680 Security Auditing for Compliance
Designing IIS Security (IIS – Internet Information Service)
Jadu XForms Professional
School of Medicine Orientation Information Security Training
Presentation transcript:

Securing Your Web Application and Database June 9 – 10, 2016 Presenters: Garth Colasurdo, Nader Khalil, Tuan Bui

What we will cover today: Why App/Database Security? How-to: Development of (Secured) App/Database Planning and Architecture Mobile and Web-based App Security Points How IT Can Help You…

Why App/Database Security?

Because… There are bad people out there that want to exploit your work for personal gains. Since November 2015 @ UNM: 559+ web vulnerabilities (potential exploits exist) 12+ compromised websites (forcibly taken over) 2 personal data incidents (FERPA)

Because… There are bad people out there that want to exploit your work for personal gains. Since November 2015 @ UNM: 559+ web vulnerabilities (potential exploits exist) 12+ compromised websites (forcibly taken over) 2 personal data incidents (FERPA)

How-to: Planning and Architecture

Planning and Architecture Addressing Business Needs New Vs. Existing Vendor Vs. In-house Cloud Vs. On-premise Business Needs Technical Needs User Needs

Planning and Architecture Technology Choices Type of application Type of developing tools Type of hosting Type of data to be collected

Planning and Architecture Key Data Sensitivity Type of data you may collect “directory information” Do not collect information you do not need Sharing information with other Data Classification E Class(encrypted): SSN(or part of it), Tax Information, student medical record C Class(Confidential): GPA, Race, Gender P Class(Public): Name, Address, Telephone listing

Planning and Architecture Roles and Responsibilities Data Owners Senior administrators --> ultimate authority and responsibility for the access, accuracy, classification, and security of the data within their delegations of authority. Data Stewards University officials who have direct operational-level authority and responsibility for the management of one or more types of institutional data Data Custodian Responsible for the operation and management of technology, systems, and servers that collect, store, process, manage, and provide access to University data Data User Authorized individuals -->to perform assigned duties or functions within the University.

Planning and Architecture Policies Acceptable Computer Use, UNM Policy 2500 Computer Security Controls and Access to Sensitive and Protected Information, Credit Card Processing, UNM Policy 7215 Information Security, UNM Policy 2550 Social Security Numbers, UNM Policy 2030 Health Insurance Portability and Accountability Act (HIPPA) Federal Law The Family Educational Rights and Privacy Act (FERPA) Standards Data Classification Data Encryption Information Stewardship and Confidentiality

Planning and Architecture Business Needs Find a solution Security Assessment Design Implement Full Lifecycle Planning Business Needs Find a Solution Security Assessment Design Implement Support

How-to: Mobile or Web-based App Security Points <? php secure_database.always ?> <protect.forms.no_injection.all> xScriptHijack(this.page) { xsite: false; }

Start Here: www.owasp.org https://www.owasp.org/index.php/Cheat_Sheets

Restricting Access Roles Can you use CAS? Customer roles Office roles Can you use CAS? Be very careful about local accounts Not a business you want to be in

Server Configurations Communication layer: SSL all the time Source file access File uploads from users Error messages

Credentials Isolation Transactions Encryption Protecting Data Credentials Isolation Transactions Encryption

Coding Best Practices Frameworks and MVC Injection Protection PDO SQL for PHP, SqlCommand() for .Net, createQuery() for Hibernate Stored procedures in the database White List input validation Escape all user supplied input Session Control Horizontal or vertical escalation of privilges Account for all error conditions Request a security assessment

Updating Patching Monitoring New features Decommissioning Lifecycle Updating Patching Monitoring New features Decommissioning

How IT Can Help You…

What We Do… Notify you of 0-day (newly discovered) technology vulnerabilities; Notify you of your websites’/applications’ (scanned) vulnerabilities; Provide you with professional services to prevent small risks from becoming big incidents.

(Some of) Our Services… Risk Assessment Vulnerability Mitigation Website/Application Development/Hardening

(ask for Miguel from Security) Contact Us… @ help.unm.edu 505.277.5757 (ask for Miguel from Security)

Questions?

References http://cedarvalleywebwerks.com/wp-content/uploads/Website-Security-browns.png http://onechroniqueshow.com/wp-content/uploads/2014/11/cross.png https://lh3.googleusercontent.com/-Ey-QnMLdOgE/VZMZLq5470I/AAAAAAAAQa4/Wjg7IQscadU/w256-h256/asher-neo-tuxg2%2B%25281%2529.png http://all4hisglory.org/images/phone/doctor3.tux.png http://www.crystalxp.net/news/img/306.png http://www.scootys.com/easy_capture/images/tux-batman.png

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.