Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.
Download ReportTranscript Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.
Making the Campus Web Safer: One application at a time
Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University of Texas at Austin, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Overview • Background – Community, Environment, Reality Check • Project Details – Training – WebAppSec Class Development – Scanning Tools • Lessons Learned • Questions
• 350 acre campus • 2,500 - 3,000 faculty • 14,000 - 18,000 staff • 16 colleges and schools • almost 50,000 students • >3,500,000 Electronic ID
Our community
Our Environment
• Over 50 IT organizations on campus • Hundreds of campus programmers and publishers • Diverse environment – PHP, PERL, Java, .NET, ColdFusion, webAgent, more … • 49,077 distinct IP addresses • Several hundred Web servers • More than 2,000 wireless network access points
Pay now or pay later!
Why?
Reality check….
• 312 data thefts disclosed in 2006 • 28% were educational institutions – 51% were result of breaches – 27% were hardware thefts or losses – Over 1.8 million people affected • Estimated $59.5 billion national cost of inadequate software testing
• 2003 Breach • 2006 Breach • University President attention • Cost of breaches – Thousands of staff hours – Hundreds of thousands of dollars – Damage to reputation – priceless • Pending legislation
Our reality….
Project Objectives • • • •
Focus on Web Application Security Increase general security awareness Broaden use of vulnerability scanner Increase coordination
–
Information Security Office (ISO)
–
System Administrators
–
Developers
Project Deliverables
• • • • •
Web Application Security Workshop for campus developers Internal web site:
– –
Polices, Guidelines, Standards, Procedures External Resources Increase exposure of security scanning tool Formal process for conducting security code reviews Formal procedure for addressing vulnerabilities
Timeline
Where to start?
Identify common web application security issues…
OWASP
Open Web Application Security Project “The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software.
”
•
OWASP
Provide tools and resources to assist with the security assessment and remediation process
–
WebScarab Framework for analyzing applications that communicate using the HTTP and HTTPS protocols
–
WebGoat a deliberately insecure J2EE web application
–
OWASP Top Ten Common web application security vulnerabilities
OWASP Top Ten
1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting 5. Buffer Overflow 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Application Denial of Service 10. Insecure Configuration Management
OWASP Top Ten (2007 release candidate 1)
1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Insecure Remote File Include 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10.Failure to Restrict URL Access
Training the trainers • Investigate Options • Certifications …?
– GIAC – SANS • Study Groups …?
• External Training …?
Training the trainers • Scheduled external Security Training – Provided by
Aspect Security
• Included broad community – Central IT Developers and Consultants – Human Resources – Student Information Systems – Information Security Office
Developing the class
Developing the class
• Identifying the Audiences • Increased communications (mailing lists, user groups, etc) • Started with shorter presentations … – PHP – Java – Cold Fusion – webAgent
About the Class
Class Objectives
Re-envision the Web • Web Focus • Web Browsers
Clients
– java.net, telnet, etc … • Inherit limitations of HTTP • Why the client can not be trusted • Focus on server side controls • OWASP
Class: Definitions “The Internet” “Security”
Sample
Sample
Sample
Class
What is security?
•
Physical
•
Technical
•
Administrative
C o n fid e n ta ilt y Data In te g rit y Availability
Language Agnostic Concepts
Class
• Need to know • Least Privilege • Positive Security Model • Fail Securely • Reduce Your Attack Surface • Apply Defense in Depth • Log Activity • Avoid Security by Obscurity • Keep Security Simple
Class
Policies, Guidelines • • • •
University System Bulk Policy Memoranda University Data Classification Federal (FERPA, HIPAA) State (Texas Computer Crimes Law)
Glimpse @ Tools
WebScarab
Class
Tamper Data
Class
• • •
Lecture style 8 hour class Multiple instructors
–
Web Team
–
Software Development Team
–
Information Security Office
Class
• • • • •
OWASP based demos Sample Code Activities to encourage participation Follow-up sessions Automated scanning tools
Class
webAgent
Sample Slide …
Training Progress
• • • • •
Trained over 100 developers Over 20 Colleges/Business Units Class fills within minutes of announcement Requests from departments to tailor the class Good feedback
Automated Scanning
Automated scanning tools…
• Not a silver bullet • We chose Watchfire/SecurityXM – Various security and compliance reports – HIPAA, OWASP, SOX … • Other tools/options – SpiDynamics has WebInspect – Cenzic has Hailstorm – WhiteHat has Sentinel
SecurityXM at UT Austin
• Not all that automated • The Process
Future of scanning at UT…
• AppScan Enterprise
Our low-hanging fruit… • Server Configuration Changes –Security vs. Convenience –Tomcat, Apache, IIS • Disabling some HTTP methods • Limiting access to backup files • Limiting file access
Continuing Activities
Timeline
Continuing activities… • Web Application Security Initiative – Checklists & Guidelines – Code libraries – New classes • Manual pen tests • AppScan scanning • Web Application Workshop • Minimum Security Standards for Application Development and Administration
Lessons Learned
Important lessons…
• Hard to engage people – Overwhelmed by new information – Already working hard – Provide next steps – Follow-up sessions
More important lessons… • Security must be everyone’s concern!
– System Administrators – Information Security Office (ISO) – Application Developers – Managers – Executives – Clients – End Users
Still more important lessons…
• Time and Money – Pay now or pay later – After breach you’re forced to find time and money • Requires attitude shift • Our Process – Finding resources for the “Project”
The most important lesson
You MUST find the time now! Or you WILL find the time later…
Questions
Contact Information Diane Gierisch Senior Systems Analyst [email protected]
PJ Abrams Senior Systems Analyst [email protected]