University of California, Irvine Security Awareness for Web Developers Katya Sadovsky [email protected] Administrative Computing Services TechnoExpo, September 2004
Download
Report
Transcript University of California, Irvine Security Awareness for Web Developers Katya Sadovsky [email protected] Administrative Computing Services TechnoExpo, September 2004
University of California, Irvine
Security Awareness for Web
Developers
Katya Sadovsky
[email protected]
Administrative Computing Services
TechnoExpo, September 2004
1
University of California, Irvine (Administrative Computing Services)
Agenda
Overview of
privacy regulations
Security architecture design
Authentication with WebAuth
File and directory security risks
Modeling and storing sensitive data
Sensitive data in cookies and URLs
Communication between distributed components
Peer Code Reviews
TechnoExpo, September 2004
2
University of California, Irvine (Administrative Computing Services)
End User Security
Since developers also happen
to be end users of
computing, topics covered in the “End User
Security Awareness” session apply to attendees
of this session as well.
Session materials are available at:
http://apps.adcom.uci.edu/EnterpriseArch/Presen
tationsConferences/TechnoExpo2004EndUserSe
curity.ppt
TechnoExpo, September 2004
3
University of California, Irvine (Administrative Computing Services)
Privacy regulations
State
Bill 1386 (State Law)
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act
(HIPAA)
Digital Millennium Copyright Act
Federal Trade Commission - Gramm-Leach-Bliley Act on
Customer Privacy
USA Patriot Act of 2002
TechnoExpo, September 2004
4
University of California, Irvine (Administrative Computing Services)
State Bill 1386 (State Law)
“Personal
information" means an individual's first name
or first initial and last name in combination with any one
or more of the following data elements, when either the
name or the data elements are not encrypted:
Social
security number
Driver's license number or California Identification Card
number.
Account number, credit or debit card number, in combination
with any required security code, access code, or password
that would permit access to an individual's financial account.
TechnoExpo, September 2004
5
University of California, Irvine (Administrative Computing Services)
FERPA
Family Educational Rights
and Privacy Act
Federal law that protects the privacy of student
education records.
Allows students to block access to their
information or even existence.
Contact the Registrar for info and procedures.
TechnoExpo, September 2004
6
University of California, Irvine (Administrative Computing Services)
HIPAA
Health
Insurance Portability and Accountability Act
“Individually identifiable health information” is private and
must be protected in any form or media, whether
electronic, paper, or oral.
Protect demographic data (i.e. name, address, birth
date, Social Security Number) related to:
the
individual’s past, present or future physical or mental
health or condition
the provision of health care to the individual
the past, present, or future payment for the provision of health
care to the individual
TechnoExpo, September 2004
7
University of California, Irvine (Administrative Computing Services)
Campus Policies you must know
You
can find all policies at http://www.policies.uci.edu
714-11Guidelines for NACS Computer Usage
714-12 Office of Academic Computing Policy on Ownership and
Rights of Access to Software and Data
714-14Copying Computer Programs
714-15 Policy on Access to University Administrative Information
Systems
714-16Procedures for Accessing University Administrative
Information Systems
714-17Using University Administrative Information Systems
714-18 Computer and Network Use Policy
TechnoExpo, September 2004
8
University of California, Irvine (Administrative Computing Services)
Using sensitive data in applications
Getting necessary approvals:
The
Payroll/Personnel office or Human Resources
must grant approval for access to private employee
information
The Registrar has a formal process for approving
student data release
TechnoExpo, September 2004
9
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
The Security Architecture must facilitate:
proper
and efficient identification
authentication
authorization
administration and auditability
Identity management:
uniqueness
account
management
TechnoExpo, September 2004
10
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
The Security Architecture also should:
be
flexible to support the introduction and/or
integration of new technologies
address and support multiple levels of protection,
including database, network level, operating system,
and application level security needs
provide a modular approach to authentication,
authorization, and accounting
TechnoExpo, September 2004
11
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
Other design
considerations:
Consider
security during initial system design
Minimize the number of security devices
Delegate access control where appropriate
Centralize security policy, maintenance operation and
oversight functions
Utilize Open Standards
Assign Security levels consistently and at the lowest
level of access required by the individual
TechnoExpo, September 2004
12
University of California, Irvine (Administrative Computing Services)
Authentication with WebAuth
WebAuth
is the campus single-signon authentication
mechanism
General information is available at
http://www.nacs.uci.edu/help/webauth
There is some additional info for Java programmers at
http://snap.uci.edu/PortalDocs/webAuth/ssoWithWebAut
h.html
Single-Signon = Single-Signoff!
Once
a user logs off one WebAuth-enabled application, s/he
should be logged off all others
TechnoExpo, September 2004
13
University of California, Irvine (Administrative Computing Services)
Authentication with WebAuth
Understand
different timeouts:
Cookie
age
Local session timeout
Logout:
Do
not use “backend” logouts, since they do not dispose of a
cookie correctly; use HTTP redirects instead.
Test your applications to make sure they reflect the logout as
soon as it’s sent to WebAuth from this or any other application
(even if there is a local session)!
TechnoExpo, September 2004
14
University of California, Irvine (Administrative Computing Services)
File and directory security risks
Use
operating system encryption capabilities to protect
files with private data
Make sure that
Read/Write/Execute
access on Files and Directories is correct
Sensitive files (i.e. passwords, SSN) are not world readable
and are not located in Web accessible directories or subdirectories
Sensitive data such as passwords, SSN, account number is
encrypted in files and/or databases
Log files are not world readable (keep in mind that URL query
strings from GET requests are logged to a file)
TechnoExpo, September 2004
15
University of California, Irvine (Administrative Computing Services)
Data modeling
When designing database tables for an
application, note that:
Application
must be able to deal with cross-
references
Campus_ID offers the greatest degree of flexibility
when choosing a table key, as opposed to student ID
or employee ID
Social Security Number should never be used as a
person key and should be avoided
TechnoExpo, September 2004
16
University of California, Irvine (Administrative Computing Services)
Storing sensitive data
AVOID storing sensitive data if
at all possible!
If you have to store sensitive data:
Encrypt
table records and/or files that contain:
password,
SSN, home phone/address, credit card, bank
account, California Driver's License, non-public student or
employee data, or FERPA blocked student data
Use
encrypted transmission for data retrieval and
modification
Educate end users about the sensitivity of the data
TechnoExpo, September 2004
17
University of California, Irvine (Administrative Computing Services)
Storing sensitive data, cont’d
Catalogue
and inventory your use of personal data
Make sure data is backed up:
In
the case data is compromised, use backups to notify
affected individuals.
TechnoExpo, September 2004
18
University of California, Irvine (Administrative Computing Services)
Sensitive data in cookies and URLs
Do
NOT store sensitive data of any kind in
cookies or URLs (GET requests are logged in
web log files).
Using WebAuth for authentication eliminates the
need to invent an authentication mechanism (and
store passwords in cookies ).
Use non-persistent cookies (that disappear once
a browser is closed) instead of persistent ones.
TechnoExpo, September 2004
19
University of California, Irvine (Administrative Computing Services)
Communication between distributed components
Document
how the data is used by each component
Transmissions/exchanges of private information must be
encrypted using protocols like:
HTTPS
SFTP
SSH
STunnel
VPN:
http://www.nacs.uci.edu/security/vpn.html
Always
use a POST method when your forms submit
any private information
TechnoExpo, September 2004
20
University of California, Irvine (Administrative Computing Services)
Page Caching
Be
aware that pop-up windows with sensitive information
may remain open even after logout
Pages with sensitive data should not be cached: page
content is easily accessed using browser’s history
Use the following tags to disable page caching:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT=“no-store, no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
TechnoExpo, September 2004
21
University of California, Irvine (Administrative Computing Services)
SQL Injection Attacks
SQL Injection examples are
outlined in:
http://searchdatabase.techtarget.com/searchData
base/downloads/sqlServerSecurity.pdf
To prevent these hacks:
Validate
parameter types and values before inserting
them into an SQL statement (never use raw
parameter data for SQL)
Test for these vulnerabilities as part of a functional
test
TechnoExpo, September 2004
22
University of California, Irvine (Administrative Computing Services)
Code Reviews
Employ
peer code reviews to catch oversights
More formal code reviews may be necessary for
highly sensitive applications
TechnoExpo, September 2004
23
University of California, Irvine (Administrative Computing Services)
Summary
Understand what
constitutes private data
Understand security and privacy regulations
Avoid storing sensitive data if possible
Encrypt private data in storage and
communication
Review data storage and code periodically
Make sure there is a backup person for the
security administrator
TechnoExpo, September 2004
24
University of California, Irvine (Administrative Computing Services)
Useful links
UCOP IT security site:
http://www.ucop.edu/irc/itsec/
NACS security site:
http://www.nacs.uci.edu/security/index.html
AdCom application security checklist:
http://snap.uci.edu/viewXmlFile.jsp?xml=webpag
es/xml/sdlc/checkListSecurityReview.xml
TechnoExpo, September 2004
25
University of California, Irvine (Administrative Computing Services)
Questions?
TechnoExpo, September 2004
26