Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your Web Application and Database

Published byBlaze Townsend Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Your Web Application and Database"— Presentation transcript:

1 Securing Your Web Application and Database
June 9 – 10, 2016 Presenters: Garth Colasurdo, Nader Khalil, Tuan Bui

2 What we will cover today:
Why App/Database Security? How-to: Development of (Secured) App/Database Planning and Architecture Mobile and Web-based App Security Points How IT Can Help You…

3 Why App/Database Security?

4 Because… There are bad people out there that want to exploit your work for personal gains. Since November UNM: 559+ web vulnerabilities (potential exploits exist) 12+ compromised websites (forcibly taken over) 2 personal data incidents (FERPA)

5 Because… There are bad people out there that want to exploit your work for personal gains. Since November UNM: 559+ web vulnerabilities (potential exploits exist) 12+ compromised websites (forcibly taken over) 2 personal data incidents (FERPA)

6 How-to: Planning and Architecture

7 Planning and Architecture
Addressing Business Needs New Vs. Existing Vendor Vs. In-house Cloud Vs. On-premise Business Needs Technical Needs User Needs

8 Planning and Architecture
Technology Choices Type of application Type of developing tools Type of hosting Type of data to be collected

9 Planning and Architecture
Key Data Sensitivity Type of data you may collect “directory information” Do not collect information you do not need Sharing information with other Data Classification E Class(encrypted): SSN(or part of it), Tax Information, student medical record C Class(Confidential): GPA, Race, Gender P Class(Public): Name, Address, Telephone listing

10 Planning and Architecture
Roles and Responsibilities Data Owners Senior administrators --> ultimate authority and responsibility for the access, accuracy, classification, and security of the data within their delegations of authority. Data Stewards University officials who have direct operational-level authority and responsibility for the management of one or more types of institutional data Data Custodian Responsible for the operation and management of technology, systems, and servers that collect, store, process, manage, and provide access to University data Data User Authorized individuals -->to perform assigned duties or functions within the University.

11 Planning and Architecture
Policies Acceptable Computer Use, UNM Policy 2500 Computer Security Controls and Access to Sensitive and Protected Information, Credit Card Processing, UNM Policy 7215 Information Security, UNM Policy 2550 Social Security Numbers, UNM Policy 2030 Health Insurance Portability and Accountability Act (HIPPA) Federal Law The Family Educational Rights and Privacy Act (FERPA) Standards Data Classification Data Encryption Information Stewardship and Confidentiality

12 Planning and Architecture
Business Needs Find a solution Security Assessment Design Implement Full Lifecycle Planning Business Needs Find a Solution Security Assessment Design Implement Support

13 How-to: Mobile or Web-based App Security Points
<? php secure_database.always ?> <protect.forms.no_injection.all> xScriptHijack(this.page) { xsite: false; }

14 Start Here: www.owasp.org

15 Restricting Access Roles Can you use CAS?
Customer roles Office roles Can you use CAS? Be very careful about local accounts Not a business you want to be in

16 Server Configurations
Communication layer: SSL all the time Source file access File uploads from users Error messages

17 Credentials Isolation Transactions Encryption
Protecting Data Credentials Isolation Transactions Encryption

18 Coding Best Practices Frameworks and MVC Injection Protection
PDO SQL for PHP, SqlCommand() for .Net, createQuery() for Hibernate Stored procedures in the database White List input validation Escape all user supplied input Session Control Horizontal or vertical escalation of privilges Account for all error conditions Request a security assessment

19

20 Updating Patching Monitoring New features Decommissioning
Lifecycle Updating Patching Monitoring New features Decommissioning

21 How IT Can Help You…

22 What We Do… Notify you of 0-day (newly discovered) technology vulnerabilities; Notify you of your websites’/applications’ (scanned) vulnerabilities; Provide you with professional services to prevent small risks from becoming big incidents.

23 (Some of) Our Services…
Risk Assessment Vulnerability Mitigation Website/Application Development/Hardening

24 (ask for Miguel from Security)
Contact Us… @ help.unm.edu (ask for Miguel from Security)

25 Questions?

26 References

Download ppt "Securing Your Web Application and Database"

Similar presentations

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Security Controls – What Works

Security Controls – What Works
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
University of California, Irvine TechnoExpo, September 20041 Security Awareness for Web Developers Katya Sadovsky Administrative Computing.

University of California, Irvine TechnoExpo, September Security Awareness for Web Developers Katya Sadovsky Administrative Computing.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.

1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Compliance Strategies for Records Management

Compliance Strategies for Records Management
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Roles and Responsibilities

Roles and Responsibilities

Similar presentations

Ads by Google