Presentation is loading. Please wait.

Presentation is loading. Please wait.

2015 16th Annual PABUG Conference Application Security Discussion Monday, November 23 rd, 2015 2:40-3:30p.m. Maureen Castaldi, Assistant Director Database.

Published byAriel Doyle Modified over 8 years ago

Similar presentations

Presentation on theme: "2015 16th Annual PABUG Conference Application Security Discussion Monday, November 23 rd, 2015 2:40-3:30p.m. Maureen Castaldi, Assistant Director Database."— Presentation transcript:

1 2015 16th Annual PABUG Conference Application Security Discussion Monday, November 23 rd, 2015 2:40-3:30p.m. Maureen Castaldi, Assistant Director Database Systems Cindy Hricko, Assistant Director of IT Development and Applications

2 2015 16th Annual PABUG Conference General Announcements: Please turn off all cell phones/pagers If you must leave the session early, please do so as discreetly as possible Please avoid side conversations during the session Questions will be answered ….. Thank you for your cooperation

3 2015 16th Annual PABUG Conference To receive CPE credits for this session (if eligible), complete the CPE Attendance Form on the PABUG Annual Conference website http://pabug.org/pennsylvania-banner-users- group-annual-conference/cpe-credits/ or via the PABUG conference app. For additional questions please contact Kim Fremont CPE - Coordinator http://pabug.org/contact-us/ http://pabug.org/contact-us/ CPE Credits - We’ve gone electronic!

4 2015 16th Annual PABUG Conference Development staff working within the constraints of Security Security, Security, Security –Industry Best Practices – what we know –Internal Auditor findings – what we don’t know –Retrofit security into our operations – how can we incorporate the change that is needed without STOPPING progress? Module owners and integration account passwords changed on a regular schedule Formalized procedures for code and data changes New developers not given access to servers – takeaway from last years session – THANK YOU! ESM Implementation for a more controlled upgrade environment Developers/BAA’s are still using shared privilege accounts Legacy code that may not be up to “security” standards

5 2015 16th Annual PABUG Conference Other Hot Topics –Application Security SDLC with concentrated effort to include Security. Application Inventory/Data Classification Software Version Control/Movement through environments Third Party product selection/vetting –Reducing restricted data in the database Archive/purge processes Oracle12c Data Redaction (dev/QA) –DB Audit and Firewall –Making the move to Banner XE environment –Training/Cross-training

6 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Procedure How many have an informal SDLC? Formalized? –Informal process since 1991 –Auditor Finding: need for a more formalized process for new applications or acquisition of software systems –Policy vs. Procedures

7 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework -Different Phases are being incorporated based on our Current Change Management Software (i.e.. Initiation Phase – Open Status, Requirement Phases – Authorized, etc.) -Supplemental security standards will be in place -Supplemental SDLC procedures and documentation for Developers. –Augmenting with checklist for SDLC procedures and Security Standards.

8 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework Overall SDLC Procedures Initiation/Feasibility Phase –How does your institution determine cost analysis and business justification? Willing to share scorecard for determing? –What Governance structures are in place by others schools to determine a modification or new system?

9 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework Requirement Analysis Phase –Requiring a formalized user requirement document. –Information Security Office consults when dealing with Restricted Data. –What is being done at your institution with regards to Security? –How does your institution determine if a third party vendor is to be used or do you write custom applications?

10 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework Design Phase –Creation of Design Document will be required –May determine a third party product to be used. –Use Security Office and Legal to purchase software. –Standard checklist for third party checklist. How many have a formalized process for purchasing software? Is IT always involved?

11 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework Development Phase –Supplemental Security Standards –Requiring the need to pull in Information Security Office if it deals with Restricted Data. –Sensitive Data software (i.e. Advancement Form) was run through a security vendor (i.e. Control Scan)

12 2015 16th Annual PABUG Conference Application Security Standards Software Development Life Cycle Framework Systems Testing and Acceptance Phase OWASP Training Authentication Routines Error Handling Security Tools – Reports attached to Change Management Ticket. What tools are being used at other institutions? –Accunetix- OWASP top 10. –VCG(VisualCodeGrepper) for Source Code Scanning Testing (Peer, Integration, Customer) Anyone using performance testing software? User Sign-off Testing

13 2015 16th Annual PABUG Conference Application Security Standards Software Development Life Cycle Framework Implementation Phase –Functional/Operational Documentation –User Training –Source Code Moves Operations and Maintenance Phase –Retest through Security tools including if there are any major configuration or architecture changes.

14 2015 16th Annual PABUG Conference Application Security Standards Software Development Life Cycle Framework Benefits to formalizing –Security is fore-front –No steps will get missed. –Designing of Templates for different types of applications (PHP, PL/SQL, etc.). –More Rapid Development –Start of our Application Security Inventory –Forces tracking of Applications and deprecation

15 2015 16th Annual PABUG Conference Application Security Application Inventory and Data Classification Does your institution have a formalized way to track and classify applications? –Information Classification & Protection Policy Data classified in 3 categories –Restricted - PII – SSN, account information, routing numbers (HIPAA) –Confidential – Private for internal University business (FERPA) –Public –Phase I Identify and review software that reports Restricted Data –Run through the SDLC Security Guide/Checklist Create an application inventory 4000+ in-house developed programs (pro*c, sql,shl, plsql,forms,argos) –Phase II Identify and review software that reports Confidential Data

16 2015 16th Annual PABUG Conference Application Security Software Version Control and movement through environments (dev,qa,prd) How many using GIT? Subversion? –Scranton’s “semi-automated” software move process NOW Code modified in Development environment Command to Move (Add/Update), Delete, PL/SQL compilation, or some other linux command added to a project file that corresponds to process date MWF – project file is processed for QA and Production, T,Th – project file processed for QA only –mv.qa /home/banner/scranton/some_plsql.sql –sp.qa baninst1 @/home/banner/scranton/some_plsql Human intervention to process the file, check for errors, validate objects

17 2015 16th Annual PABUG Conference Application Security Software Version Control –FUTURE – debate whether in-house version control should be GIT or Subversion Currently using GITHUB for our mobile code Ellucian is using GITHUB for XE. Realized that GIT was beneficial for big projects with many hands working on it. The use of branching and merging seems to be the most advantageous feature which our developers would not be using. Subversion appears to work in line with how we work. We have a $SCRANTON_HOME branch with appr 30-40 folders, so we would need a repo for each. We will be using Turtoise SVN.

18 2015 16th Annual PABUG Conference Other Hot Topics –Reducing restricted data in the database Archive/purge processes –Number of Ellucian processes out there, but we aren’t using many of them. What processes are your institution currently using in production? Oracle12c Data Redaction (dev/QA) –DB Audit and Firewall –Making the move to Banner XE environment –Training/Cross-training

19 2015 16th Annual PABUG Conference Open to the Floor Questions??? Maureen Castaldi maureen.castaldi@scranton.edu Cindy Hricko cindy.hricko@scranton.edu

20 2015 16th Annual PABUG Conference Please take time to complete our Conference and Session evaluations. YOUR INPUT MATTERS!!!

Download ppt "2015 16th Annual PABUG Conference Application Security Discussion Monday, November 23 rd, 2015 2:40-3:30p.m. Maureen Castaldi, Assistant Director Database."

Similar presentations

2013 14th Annual PABUG Conference Session Title Presenter Name.

th Annual PABUG Conference Session Title Presenter Name.
Pennsylvania BANNER Users Group 2007 Automating the Freshman Parent Load.

Pennsylvania BANNER Users Group 2007 Automating the Freshman Parent Load.
Pennsylvania Banner Users Group 2008 Fall Conference Finance Reporting from the ODS using Cognos.

Pennsylvania Banner Users Group 2008 Fall Conference Finance Reporting from the ODS using Cognos.
Pennsylvania BANNER Users Group 2006 Integrate Your Decision Support with Cognos 8.

Pennsylvania BANNER Users Group 2006 Integrate Your Decision Support with Cognos 8.
Pennsylvania Banner Users Group 2008 Fall Conference IUP Enrollment Management Solutions Jeff Montgomery.

Pennsylvania Banner Users Group 2008 Fall Conference IUP Enrollment Management Solutions Jeff Montgomery.
Pennsylvania Banner Users Group 2009 Fall Conference Implementing Imaging 11/24/2009.

Pennsylvania Banner Users Group 2009 Fall Conference Implementing Imaging 11/24/2009.
Scribin’ in Style Developing a Scribe Style Manual for Your Scribers.

Scribin’ in Style Developing a Scribe Style Manual for Your Scribers.
Illinois Institute of Technology

Illinois Institute of Technology
Software Engineering Institute Capability Maturity Model (CMM)

Software Engineering Institute Capability Maturity Model (CMM)
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Auditing Systems Development, Acquisition and Maintenance

Auditing Systems Development, Acquisition and Maintenance
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Financials – Phase II Kick-Off Meeting September 11, 2008 Brenda Bolander, State Comptroller Michael Grisser, Project Manager.

Financials – Phase II Kick-Off Meeting September 11, 2008 Brenda Bolander, State Comptroller Michael Grisser, Project Manager.
CUSTOMIZING THE COLLEAGUE AAI Kami Jenks North Idaho College July 31, 2015 Information Technology Coeur d’Alene, Idaho.

CUSTOMIZING THE COLLEAGUE AAI Kami Jenks North Idaho College July 31, 2015 Information Technology Coeur d’Alene, Idaho.
Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
DIY Site Review + Summer Cleaning Keeping Your System Running Smoothly Rachel & Kevin.

DIY Site Review + Summer Cleaning Keeping Your System Running Smoothly Rachel & Kevin.
2015 16th Annual PABUG Conference IUP Mobile 2.1 Doug Rutledge.

th Annual PABUG Conference IUP Mobile 2.1 Doug Rutledge.
Software Quality Assurance

Software Quality Assurance
2013 NPMA Spring Conference Value Through Professional Asset Management Considerations in Developing a Property Management System.

2013 NPMA Spring Conference Value Through Professional Asset Management Considerations in Developing a Property Management System.
CSI-MAXIMUS, Inc......... CSI Comprehensive Service & Support Implementing the CSI Way.

CSI-MAXIMUS, Inc CSI Comprehensive Service & Support Implementing the CSI Way.

Similar presentations

Ads by Google