Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.

Published byMae Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University."— Presentation transcript:

1 Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University of Texas at Austin, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Overview Background – Community, Environment, Reality Check Project Details –Training –WebAppSec Class Development –Scanning Tools Lessons Learned Questions

3 Our community 350 acre campus 2,500 - 3,000 faculty 14,000 - 18,000 staff 16 colleges and schools almost 50,000 students >3,500,000 Electronic ID

4 Our Environment Over 50 IT organizations on campus Hundreds of campus programmers and publishers Diverse environment –PHP, PERL, Java,.NET, ColdFusion, webAgent, more … 49,077 distinct IP addresses Several hundred Web servers More than 2,000 wireless network access points

5 Why? Pay now or pay later!

6 Reality check…. 312 data thefts disclosed in 2006 28% were educational institutions –51% were result of breaches –27% were hardware thefts or losses –Over 1.8 million people affected Estimated $59.5 billion national cost of inadequate software testing

7 Our reality…. 2003 Breach 2006 Breach University President attention Cost of breaches –Thousands of staff hours –Hundreds of thousands of dollars –Damage to reputation – priceless Pending legislation

8 Project Objectives Focus on Web Application Security Increase general security awareness Broaden use of vulnerability scanner Increase coordination – Information Security Office (ISO) –System Administrators –Developers

9 Project Deliverables Web Application Security Workshop for campus developers Internal web site: –Polices, Guidelines, Standards, Procedures –External Resources Increase exposure of security scanning tool Formal process for conducting security code reviews Formal procedure for addressing vulnerabilities

10 Timeline

11 Where to start? Identify common web application security issues…

12 OWASP Open Web Application Security Project “The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software.”

13 OWASP Provide tools and resources to assist with the security assessment and remediation process –WebScarab Framework for analyzing applications that communicate using the HTTP and HTTPS protocols –WebGoat a deliberately insecure J2EE web application –OWASP Top Ten Common web application security vulnerabilities

14 OWASP Top Ten 1.Unvalidated Input 2.Broken Access Control 3.Broken Authentication and Session Management 4.Cross Site Scripting 5.Buffer Overflow 6.Injection Flaws 7.Improper Error Handling 8.Insecure Storage 9.Application Denial of Service 10.Insecure Configuration Management

15 OWASP Top Ten (2007 release candidate 1) 1.Cross Site Scripting (XSS) 2.Injection Flaws 3.Insecure Remote File Include 4.Insecure Direct Object Reference 5.Cross Site Request Forgery (CSRF) 6.Information Leakage and Improper Error Handling 7.Broken Authentication and Session Management 8.Insecure Cryptographic Storage 9.Insecure Communications 10.Failure to Restrict URL Access

16 Training the trainers Investigate Options Certifications …? –GIAC –SANS Study Groups …? External Training …?

17 Training the trainers Scheduled external Security Training –Provided by Aspect Security Included broad community –Central IT Developers and Consultants –Human Resources –Student Information Systems –Information Security Office

18 Developing the class

19 Identifying the Audiences Increased communications (mailing lists, user groups, etc) Started with shorter presentations … –PHP –Java –Cold Fusion –webAgent

20 About the Class

21 Class Objectives Web Focus Web Browsers Clients –java.net, telnet, etc … Inherit limitations of HTTP Why the client can not be trusted Focus on server side controls OWASP Re-envision the Web

22 Class: Definitions “The Internet” “Security”

23 Sample

24

25

26 Class Physical Technical Administrative What is security?

27 Class Need to know Least Privilege Positive Security Model Fail Securely Reduce Your Attack Surface Apply Defense in Depth Log Activity Avoid Security by Obscurity Keep Security Simple Language Agnostic Concepts

28 Class University System Bulk Policy Memoranda University Data Classification Federal (FERPA, HIPAA) State (Texas Computer Crimes Law) Policies, Guidelines

29 Class Glimpse @ Tools WebScarab

30 Class Tamper Data

31 Class Lecture style 8 hour class Multiple instructors –Web Team –Software Development Team –Information Security Office

32 Class OWASP based demos Sample Code Activities to encourage participation Follow-up sessions Automated scanning tools

33 Sample Slide …

34 Training Progress Trained over 100 developers Over 20 Colleges/Business Units Class fills within minutes of announcement Requests from departments to tailor the class Good feedback

35 Automated Scanning

36 Automated scanning tools… Not a silver bullet We chose Watchfire/SecurityXM –Various security and compliance reports –HIPAA, OWASP, SOX … Other tools/options –SpiDynamics has WebInspect –Cenzic has Hailstorm –WhiteHat has Sentinel

37 SecurityXM at UT Austin Not all that automated The Process

38 Future of scanning at UT… AppScan Enterprise

39 Our low-hanging fruit… Server Configuration Changes –Security vs. Convenience –Tomcat, Apache, IIS Disabling some HTTP methods Limiting access to backup files Limiting file access

40 Continuing Activities

41 Timeline

42 Continuing activities… Web Application Security Initiative –Checklists & Guidelines –Code libraries –New classes Manual pen tests AppScan scanning Web Application Workshop Minimum Security Standards for Application Development and Administration

43 Lessons Learned

44 Important lessons… Hard to engage people –Overwhelmed by new information –Already working hard –Provide next steps –Follow-up sessions

45 More important lessons… Security must be everyone’s concern! –System Administrators –Information Security Office (ISO) –Application Developers –Managers –Executives –Clients –End Users

46 Still more important lessons… Time and Money –Pay now or pay later –After breach you’re forced to find time and money Requires attitude shift Our Process –Finding resources for the “Project”

47 The most important lesson You MUST find the time now! Or you WILL find the time later…

48 Questions

49 Contact Information Diane Gierisch Senior Systems Analyst d.gierisch@its.utexas.edu PJ Abrams Senior Systems Analyst p.abrams@its.utexas.edu

Download ppt "Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University."

Similar presentations

Webgoat.

Webgoat.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,

The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Migrating to uPortal 2 at UBC Paul Zablosky University of British Columbia Copyright Paul Zablosky 2003. This work is the intellectual property of the.

Migrating to uPortal 2 at UBC Paul Zablosky University of British Columbia Copyright Paul Zablosky This work is the intellectual property of the.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, 2007. This work is the intellectual property of the author.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Web Portal Development with uPortal or.Net Midwest Educause: March 24-26, 2003 David B. Williams Mark Troester

Web Portal Development with uPortal or.Net Midwest Educause: March 24-26, 2003 David B. Williams Mark Troester

Similar presentations

Ads by Google