Making the Campus Web Safer: One application at a time

Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University of Texas at Austin, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Overview • Background – Community, Environment, Reality Check • Project Details – Training – WebAppSec Class Development – Scanning Tools • Lessons Learned • Questions

• 350 acre campus • 2,500 - 3,000 faculty • 14,000 - 18,000 staff • 16 colleges and schools • almost 50,000 students • >3,500,000 Electronic ID

Our community

Our Environment

• Over 50 IT organizations on campus • Hundreds of campus programmers and publishers • Diverse environment – PHP, PERL, Java, .NET, ColdFusion, webAgent, more … • 49,077 distinct IP addresses • Several hundred Web servers • More than 2,000 wireless network access points

Pay now or pay later!

Why?

Reality check….

• 312 data thefts disclosed in 2006 • 28% were educational institutions – 51% were result of breaches – 27% were hardware thefts or losses – Over 1.8 million people affected • Estimated $59.5 billion national cost of inadequate software testing

• 2003 Breach • 2006 Breach • University President attention • Cost of breaches – Thousands of staff hours – Hundreds of thousands of dollars – Damage to reputation – priceless • Pending legislation

Our reality….

Project Objectives • • • •

Focus on Web Application Security Increase general security awareness Broaden use of vulnerability scanner Increase coordination

–

Information Security Office (ISO)

–

System Administrators

–

Developers

Project Deliverables

• • • • •

Web Application Security Workshop for campus developers Internal web site:

– –

Polices, Guidelines, Standards, Procedures External Resources Increase exposure of security scanning tool Formal process for conducting security code reviews Formal procedure for addressing vulnerabilities

Timeline

Where to start?

Identify common web application security issues…

OWASP

Open Web Application Security Project “The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software.

”

•

OWASP

Provide tools and resources to assist with the security assessment and remediation process

–

WebScarab Framework for analyzing applications that communicate using the HTTP and HTTPS protocols

–

WebGoat a deliberately insecure J2EE web application

–

OWASP Top Ten Common web application security vulnerabilities

OWASP Top Ten

1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting 5. Buffer Overflow 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Application Denial of Service 10. Insecure Configuration Management

OWASP Top Ten (2007 release candidate 1)

1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10.Failure to Restrict URL Access

Training the trainers • Investigate Options • Certifications …?

– GIAC – SANS • Study Groups …?

• External Training …?

Training the trainers • Scheduled external Security Training – Provided by

Aspect Security

• Included broad community – Central IT Developers and Consultants – Human Resources – Student Information Systems – Information Security Office

Developing the class

Developing the class

• Identifying the Audiences • Increased communications (mailing lists, user groups, etc) • Started with shorter presentations … – PHP – Java – Cold Fusion – webAgent

About the Class

Class Objectives

Re-envision the Web • Web Focus • Web Browsers

Clients

– java.net, telnet, etc … • Inherit limitations of HTTP • Why the client can not be trusted • Focus on server side controls • OWASP

Class: Definitions “The Internet” “Security”

Sample

Sample

Sample

Class

What is security?

•

Physical

•

Technical

•

Administrative

C o n fid e n ta ilt y Data In te g rit y Availability

Language Agnostic Concepts

Class

• Need to know • Least Privilege • Positive Security Model • Fail Securely • Reduce Your Attack Surface • Apply Defense in Depth • Log Activity • Avoid Security by Obscurity • Keep Security Simple

Class

Policies, Guidelines • • • •

University System Bulk Policy Memoranda University Data Classification Federal (FERPA, HIPAA) State (Texas Computer Crimes Law)

Glimpse @ Tools

WebScarab

Class

Tamper Data

Class

• • •

Lecture style 8 hour class Multiple instructors

–

Web Team

–

Software Development Team

–

Information Security Office

Class

• • • • •

OWASP based demos Sample Code Activities to encourage participation Follow-up sessions Automated scanning tools

Class

webAgent

Sample Slide …

Training Progress

• • • • •

Trained over 100 developers Over 20 Colleges/Business Units Class fills within minutes of announcement Requests from departments to tailor the class Good feedback

Automated Scanning

Automated scanning tools…

• Not a silver bullet • We chose Watchfire/SecurityXM – Various security and compliance reports – HIPAA, OWASP, SOX … • Other tools/options – SpiDynamics has WebInspect – Cenzic has Hailstorm – WhiteHat has Sentinel

SecurityXM at UT Austin

• Not all that automated • The Process

Future of scanning at UT…

• AppScan Enterprise

Our low-hanging fruit… • Server Configuration Changes –Security vs. Convenience –Tomcat, Apache, IIS • Disabling some HTTP methods • Limiting access to backup files • Limiting file access

Continuing Activities

Timeline

Continuing activities… • Web Application Security Initiative – Checklists & Guidelines – Code libraries – New classes • Manual pen tests • AppScan scanning • Web Application Workshop • Minimum Security Standards for Application Development and Administration

Lessons Learned

Important lessons…

• Hard to engage people – Overwhelmed by new information – Already working hard – Provide next steps – Follow-up sessions

More important lessons… • Security must be everyone’s concern!

– System Administrators – Information Security Office (ISO) – Application Developers – Managers – Executives – Clients – End Users

Still more important lessons…

• Time and Money – Pay now or pay later – After breach you’re forced to find time and money • Requires attitude shift • Our Process – Finding resources for the “Project”

The most important lesson

You MUST find the time now! Or you WILL find the time later…

Questions

Contact Information Diane Gierisch Senior Systems Analyst [email protected]

PJ Abrams Senior Systems Analyst [email protected]