Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist.

Slides:



Advertisements
Similar presentations
A Successful Help Desk Process for all IT Support
Advertisements

“Build It and They Will Come," But Will They? A Poster Presentation by Abdul Shibli Harvard Graduate School of Education Cambridge, Massachusetts
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Course: e-Governance Project Lifecycle Day 1
Cut Costs and Increase Productivity in your IT Organization with Effective Computer and Network Monitoring. Copyright © T3 Software Builders, Inc 2004.
A Web-based Bibliography Management Initiative: Collaborating for Classroom and Library Technology Integration Brian Nielsen, Academic Technologies Denise.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Copyright Princeton University This work is the intellectual property of Princeton University. Permission is granted for this material to be shared.
Copyright Sylvia Maxwell and Michael White, This work is the intellectual property of the author. Permission is granted for this material to be shared.
Yale University Information Technology Services Administrative Systems Art Hunt 3/22/04 Software Service Level Agreement with Finance, Procurement and.
Delivering Windows OS Updates at Yale with SUS EDUCAUSE Security Professionals Workshop May 17, 2004 Washington DC Ken Hoover, Systems Programmer
Migrating to uPortal 2 at UBC Paul Zablosky University of British Columbia Copyright Paul Zablosky This work is the intellectual property of the.
Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.
Copyright Steve Brandt This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Beyond Basic Computer Skills: Implementing Technology Fluency Cynthia Edwards, Professor of Psychology Kristin Watkins, Computer Applications Specialist.
Copyright Statement © Jason Rhode and Carol Scheidenhelm This work is the intellectual property of the authors. Permission is granted for this material.
1 sm Using E-Business Solutions to Meet Management Challenges: Interoperability & Flexibility Bring Success to the Implementation of Specialized Components.
Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
The University System of New Hampshire Instilling Project Methodology to Create Lasting Organizational Change Presented by Dwight Fischer Director of Enterprise.
The Need to Meet Accreditation Standards: A Systems Analysis of Technology Integration in Teacher Education Lincoln University of Missouri Division of.
Cheryl Ast Project Team Leader, Administrative Computing Services (949) EDUCAUSE Southwest Regional Conference University of.
Cheryl Ast Project Team Leader, Administrative Computing Services (949) CUMREC 2003 University of California, Irvine Tuesday, May.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
You’ve Built The Pieces, Now Integrate Your Enterprise! Mid-Atlantic Regional Conference January 17, 2003 Patty Gertz, Princeton University
Copyright Tim Antonowicz, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Copyright Statement Copyright William F. Hogue, This work is the intellectual property of the author. Permission is granted for this material to.
Unified Messaging at Williams College A Cost Model Analysis By Mark Berman Copyright Mark Berman, This work is the intellectual property of the author.
Classroom Technologies Re-organization Copyright Kathy Bohnstedt, This work is the intellectual property of the author. Permission is granted for.
Lynette Olson, Assessment & Effectiveness Director & Gary Langer, Associate Vice Chancellor, Office of the Chancellor, Minnesota State Colleges and Universities.
Page 1 Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for.
Sharing Information and Controlling Content: Continuing Challenges for Higher Education Susanna Frederick Fischer Assistant Professor Columbus School of.
Please Note: Copyright –David L. Snellman This work is the intellectual property of the author. Permission is granted for this material to be shared.
Moving Your Paperwork Online University of California, Irvine presents PayQuest Copyright UC,Irvine This work is the.
ASK ME The ASK ME Program Putting Support at the Center: A New Model for Help Desk Staffing Presented By: Ann Genovese and Kathy Gillette George Mason.
Chapter 22 Systems Design, Implementation, and Operation Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 22-1.
SEC835 Database and Web application security Information Security Architecture.
Issues Associated with ePortfolios in Small Colleges EDUCAUSE Mid-Atlantic Regional Conference 2006 Ed Barboni, Senior Advisor, Council of Independent.
CMS Security Justin Klein Keane CMS Working Group March 3, 2010.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Getting Everyone "On Board" for a Major IT Project Presentation to CUMREC MAY 16, 2002 Warren Mills, CEO Copyright Advantiv, Inc This work is the.
Database Administration
1 Presenters: Lucretia Parham Sara Connor Armstrong Atlantic State University October 30, :45 – 12:35 Copyright Sara Connor and Lucretia Parham,
Integration is Critical for Success Curriculum Course Delivery Ongoing Support Instructor & Learner.
Portals and Web Standards Lessons Learned and Applied David Cook Copyright The University of Texas at Austin This work is the.
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
2007 Carnegie Mellon University 1 Copyright Kelley Anderson and Mary L. Pretz- Lawson, This work is the intellectual property of the authors. Permission.
Copyright © 2011 Rachel Fourny. This work is the intellectual property of Rachel Fourny. Permission is granted for this material to be shared for non-commercial,
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Copyright Michael Dieckmann, Geissler Golding, Melanie Haveard This work is the intellectual property of the author. Permission is granted for this material.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
The Duluth Area CIO’s Consortium Collaborating with Regional IT Organizations Copyright Linda Deneen and Lynne Hamre, This work is the intellectual.
© 2009 Pittsburgh Supercomputing Center Server Virtualization and Security Kevin Sullivan Copyright Kevin Sullivan, Pittsburgh Supercomputing.
Copyright Michael White and Sylvia Maxwell, This work is the intellectual property of the author. Permission is granted for this material to be shared.
© Scottsdale Community College Leveraging the Power of E-Learning Taking your course to a higher level Presented by Sidne Tate Director, Instructional.
Systemic Progress in Teaching and Learning Common Elements that Support Campus-Wide Innovation Copyright Andrea Nixon, A. Michael Berman, Christine Haile,
Breaking Down Barriers & Building Bridges Improves Customer Satisfaction & Efficiency Wendy Woodward | March 15, 2011 Copyright Wendy Woodward 2011.
Discussion Panelists: Justin C. Klein Keane
Walking the Line Between Customer Service and Customer Codependency
Adapting Enterprise Security to a University Environment
Disaster Recovery Technical Infrastructure at George Mason University
Defining an IT Workflow, from Request to Support
IT All Staff M. Mundrane 16 March 2018.
Project for OnLine Instructional Support (POLIS)
Open Source Web Initial Sign-On Packages
myIS.neu.edu – presentation screen shots accompany:
An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.
Presentation transcript:

Discussion Panelists: Justin C. Klein Keane Sr. Information Security Specialist University of Pennsylvania Jonathan Hanny Application Security Specialist The George Washington University Shannon Ortiz Director of IT Security Fordham University Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 1

Session Format –Panelists will each present for approximately 10 minutes. –Remainder of session will be Q&A. 2 Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Definitions –Application Security: Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. -Wikipedia –SDLC: The Systems Development Life Cycle (SDLC), is the process of creating or altering systems, and the models and methodologies that people use to develop these systems. The concept generally refers to computer or information systems. Systems Development Life Cycle (SDLC) is a logical process used by a systems analyst to develop an information system, including requirements, validation, training, and user (stakeholder) ownership.. -Wikipedia 3 Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Application vulnerabilities are inevitable –Bugs are guaranteed in software and a certain portion will be security related –Threats to web applications are global –Security is an evolving field Copyright Justin C. Klein Keane This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 4

What can we do? –Intercept malicious traffic (Web Application Firewall) –Monitor and react –Scan and detect –Standardize to centralize –Regular code review –Proactively audit code in development Copyright Justin C. Klein Keane This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 5

Developer training and safe coding practices Security review during architecture through development Final security audit before launch Commitment to ongoing security review Copyright Justin C. Klein Keane This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 6

Centralizing on one platform –Auditing new and existing components –Ongoing platform review Auditing old applications Working with developers to plan applications securely and reviewing applications before launch Intrusion detection for web applications 7

8 So, how do we secure our Application Systems? Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Develop an Application Security Program –Select a framework –Integrate into the SDLC –Develop repeatable processes Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 9

Select a framework –Consider your organizations needs –Consider regulatory requiremenets –Consider existing best practices –Consider your geographic region Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 10

FISMA (NIST) Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Categorize Information System FIPS 199/SP Categorize Information System FIPS 199/SP Starting Point Select Security Controls FIPS 200/SP Select Security Controls FIPS 200/SP Supplement Security Controls SP /SP Supplement Security Controls SP /SP Document Security Controls SP Document Security Controls SP Implement Security Controls SP Implement Security Controls SP Assess Security Controls SP Assess Security Controls SP Authorize Security Controls SP Authorize Security Controls SP Monitor Security Controls SP /SP Monitor Security Controls SP /SP Risk Management Framework Security Life Cycle NIST SP rev2 11

Integrate into the SDLC Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 12

Develop repeatable processes –Clearly define the processes –Clearly document the procedures –Every application system is required to go through the program –Educate, educate, educate Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 13

Copyright Shannon Ortiz This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 14 Competing Constraints: Time, Scope and Cost Major ERP deployment –In just ONE month 7 Physical (3 application + 4 database servers) 52 Virtual Solaris (12 for Banner application servers) 5 Oracle database servers + 6 Windows SQL servers Extended Software Development Life Cycle –4+ years of changes Threats –SQLI, XSS, bugs, flawed app/web server installs, etc… Our Challenges…

Copyright Shannon Ortiz This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 15 “Do More With Less” Accept our limitations and work with them Find a solution that will help secure our environment but it has to be: affordable, replicable, easy and provide business value We selected: WhiteHat Sentinel Service –Vulnerability Assessments are done as soon as the last one completes, potentially hundreds of times a year – At no additional cost –IT Security staff is increased by leveraging, System, DBA and Application services resources –Detailed vulnerability descriptions with guidelines on how to mitigate them –Robust reporting with prioritization to help acquire those non- existent funds

Copyright Shannon Ortiz This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 16 Where does this fit in our SDLC? Anywhere from Implementation to Maintenance en.wikipedia.org/wiki/Waterfall_model

Copyright Shannon Ortiz This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 17 What are our vulnerabilities?

Copyright Shannon Ortiz This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 18 WhiteHat Sentinel in Action Role Play

Copyright Shannon Ortiz This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 19 WhiteHat Sentinel Summary Service was enabled –Backend database, web server for access and of course application installation and configuration Launched WhiteHat Vulnerabilities were found Application owners notified, risk mitigated and re- tested We are safer… for now

What did you think? Your input is important to us! Click on “Evaluate This Session” on the Mid-Atlantic Regional program page. Thank you! Copyright Jonathan Hanny This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.