Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of California, Irvine TechnoExpo, September 20041 Security Awareness for Web Developers Katya Sadovsky Administrative Computing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "University of California, Irvine TechnoExpo, September 20041 Security Awareness for Web Developers Katya Sadovsky Administrative Computing."— Presentation transcript:

1 University of California, Irvine TechnoExpo, September 20041 Security Awareness for Web Developers Katya Sadovsky katya@uci.edu Administrative Computing Services

2 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20042 Agenda  Overview of privacy regulations  Security architecture design  Authentication with WebAuth  File and directory security risks  Modeling and storing sensitive data  Sensitive data in cookies and URLs  Communication between distributed components  Peer Code Reviews

3 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20043 End User Security  Since developers also happen to be end users of computing, topics covered in the “End User Security Awareness” session apply to attendees of this session as well.  Session materials are available at: http://apps.adcom.uci.edu/EnterpriseArch/Presen tationsConferences/TechnoExpo2004EndUserSe curity.ppt http://apps.adcom.uci.edu/EnterpriseArch/Presen tationsConferences/TechnoExpo2004EndUserSe curity.ppt

4 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20044 Privacy regulations  State Bill 1386 (State Law) State Bill 1386 (State Law)  Family Educational Rights and Privacy Act (FERPA) Family Educational Rights and Privacy Act (FERPA)  Health Insurance Portability and Accountability Act (HIPAA) Health Insurance Portability and Accountability Act (HIPAA)  Digital Millennium Copyright Act Digital Millennium Copyright Act  Federal Trade Commission - Gramm-Leach-Bliley Act on Customer Privacy Federal Trade Commission - Gramm-Leach-Bliley Act on Customer Privacy  USA Patriot Act of 2002 USA Patriot Act of 2002

5 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20045 State Bill 1386 (State Law)  “Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:  Social security number  Driver's license number or California Identification Card number.  Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

6 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20046 FERPA  Family Educational Rights and Privacy Act  Federal law that protects the privacy of student education records.  Allows students to block access to their information or even existence.  Contact the Registrar for info and procedures.

7 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20047 HIPAA  Health Insurance Portability and Accountability Act  “ Individually identifiable health information ” is private and must be protected in any form or media, whether electronic, paper, or oral.  Protect demographic data (i.e. name, address, birth date, Social Security Number) related to:  the individual’s past, present or future physical or mental health or condition  the provision of health care to the individual  the past, present, or future payment for the provision of health care to the individual

8 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20048 Campus Policies you must know  You can find all policies at http://www.policies.uci.eduhttp://www.policies.uci.edu  714-11Guidelines for NACS Computer Usage 714-11  714-12 Office of Academic Computing Policy on Ownership and Rights of Access to Software and Data 714-12  714-14Copying Computer Programs 714-14  714-15 Policy on Access to University Administrative Information Systems 714-15  714-16Procedures for Accessing University Administrative Information Systems 714-16  714-17Using University Administrative Information Systems 714-17  714-18 Computer and Network Use Policy 714-18

9 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 20049 Using sensitive data in applications  Getting necessary approvals:  The Payroll/Personnel office or Human Resources must grant approval for access to private employee information  The Registrar has a formal process for approving student data release

10 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200410 Security Architecture Design  The Security Architecture must facilitate:  proper and efficient identification  authentication  authorization  administration and auditability  Identity management:  uniqueness  account management

11 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200411 Security Architecture Design  The Security Architecture also should:  be flexible to support the introduction and/or integration of new technologies  address and support multiple levels of protection, including database, network level, operating system, and application level security needs  provide a modular approach to authentication, authorization, and accounting

12 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200412 Security Architecture Design  Other design considerations:  Consider security during initial system design  Minimize the number of security devices  Delegate access control where appropriate  Centralize security policy, maintenance operation and oversight functions  Utilize Open Standards  Assign Security levels consistently and at the lowest level of access required by the individual

13 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200413 Authentication with WebAuth  WebAuth is the campus single-signon authentication mechanism  General information is available at http://www.nacs.uci.edu/help/webauth http://www.nacs.uci.edu/help/webauth  There is some additional info for Java programmers at http://snap.uci.edu/PortalDocs/webAuth/ssoWithWebAut h.html http://snap.uci.edu/PortalDocs/webAuth/ssoWithWebAut h.html  Single-Signon = Single-Signoff!  Once a user logs off one WebAuth-enabled application, s/he should be logged off all others

14 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200414 Authentication with WebAuth  Understand different timeouts:  Cookie age  Local session timeout  Logout:  Do not use “backend” logouts, since they do not dispose of a cookie correctly; use HTTP redirects instead.  Test your applications to make sure they reflect the logout as soon as it’s sent to WebAuth from this or any other application (even if there is a local session)!

15 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200415 File and directory security risks  Use operating system encryption capabilities to protect files with private data  Make sure that  Read/Write/Execute access on Files and Directories is correct  Sensitive files (i.e. passwords, SSN) are not world readable and are not located in Web accessible directories or sub- directories  Sensitive data such as passwords, SSN, account number is encrypted in files and/or databases  Log files are not world readable (keep in mind that URL query strings from GET requests are logged to a file)

16 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200416 Data modeling  When designing database tables for an application, note that:  Application must be able to deal with cross- references  Campus_ID offers the greatest degree of flexibility when choosing a table key, as opposed to student ID or employee ID  Social Security Number should never be used as a person key and should be avoided

17 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200417 Storing sensitive data  AVOID storing sensitive data if at all possible!  If you have to store sensitive data:  Encrypt table records and/or files that contain:  password, SSN, home phone/address, credit card, bank account, California Driver's License, non-public student or employee data, or FERPA blocked student data  Use encrypted transmission for data retrieval and modification  Educate end users about the sensitivity of the data

18 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200418 Storing sensitive data, cont’d  Catalogue and inventory your use of personal data  Make sure data is backed up:  In the case data is compromised, use backups to notify affected individuals.

19 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200419 Sensitive data in cookies and URLs  Do NOT store sensitive data of any kind in cookies or URLs (GET requests are logged in web log files).  Using WebAuth for authentication eliminates the need to invent an authentication mechanism (and store passwords in cookies ).  Use non-persistent cookies (that disappear once a browser is closed) instead of persistent ones.

20 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200420 Communication between distributed components  Document how the data is used by each component  Transmissions/exchanges of private information must be encrypted using protocols like:  HTTPS  SFTP  SSH  STunnel  VPN: http://www.nacs.uci.edu/security/vpn.htmlhttp://www.nacs.uci.edu/security/vpn.html  Always use a POST method when your forms submit any private information

21 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200421 Page Caching  Be aware that pop-up windows with sensitive information may remain open even after logout  Pages with sensitive data should not be cached: page content is easily accessed using browser’s history  Use the following tags to disable page caching:

22 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200422 SQL Injection Attacks  SQL Injection examples are outlined in: http://searchdatabase.techtarget.com/searchData base/downloads/sqlServerSecurity.pdf http://searchdatabase.techtarget.com/searchData base/downloads/sqlServerSecurity.pdf  To prevent these hacks:  Validate parameter types and values before inserting them into an SQL statement (never use raw parameter data for SQL)  Test for these vulnerabilities as part of a functional test

23 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200423 Code Reviews  Employ peer code reviews to catch oversights  More formal code reviews may be necessary for highly sensitive applications

24 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200424 Summary  Understand what constitutes private data  Understand security and privacy regulations  Avoid storing sensitive data if possible  Encrypt private data in storage and communication  Review data storage and code periodically  Make sure there is a backup person for the security administrator

25 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200425 Useful links  UCOP IT security site: http://www.ucop.edu/irc/itsec/ http://www.ucop.edu/irc/itsec/  NACS security site: http://www.nacs.uci.edu/security/index.html http://www.nacs.uci.edu/security/index.html  AdCom application security checklist: http://snap.uci.edu/viewXmlFile.jsp?xml=webpag es/xml/sdlc/checkListSecurityReview.xml http://snap.uci.edu/viewXmlFile.jsp?xml=webpag es/xml/sdlc/checkListSecurityReview.xml

26 University of California, Irvine (Administrative Computing Services) TechnoExpo, September 200426 Questions ?

Download ppt "University of California, Irvine TechnoExpo, September 20041 Security Awareness for Web Developers Katya Sadovsky Administrative Computing."

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,

Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
University of California, Irvine TechnoExpo, 20061 Computer Security: What do I really need to know NOW! Marina Arseniev - Associate Director, Administrative.

University of California, Irvine TechnoExpo, Computer Security: What do I really need to know NOW! Marina Arseniev - Associate Director, Administrative.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Similar presentations

Ads by Google