University of California, Irvine Security Awareness for Web Developers Katya Sadovsky [email protected] Administrative Computing Services TechnoExpo, September 2004
Download ReportTranscript University of California, Irvine Security Awareness for Web Developers Katya Sadovsky [email protected] Administrative Computing Services TechnoExpo, September 2004
University of California, Irvine Security Awareness for Web Developers Katya Sadovsky [email protected] Administrative Computing Services TechnoExpo, September 2004 1 University of California, Irvine (Administrative Computing Services) Agenda Overview of privacy regulations Security architecture design Authentication with WebAuth File and directory security risks Modeling and storing sensitive data Sensitive data in cookies and URLs Communication between distributed components Peer Code Reviews TechnoExpo, September 2004 2 University of California, Irvine (Administrative Computing Services) End User Security Since developers also happen to be end users of computing, topics covered in the “End User Security Awareness” session apply to attendees of this session as well. Session materials are available at: http://apps.adcom.uci.edu/EnterpriseArch/Presen tationsConferences/TechnoExpo2004EndUserSe curity.ppt TechnoExpo, September 2004 3 University of California, Irvine (Administrative Computing Services) Privacy regulations State Bill 1386 (State Law) Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Digital Millennium Copyright Act Federal Trade Commission - Gramm-Leach-Bliley Act on Customer Privacy USA Patriot Act of 2002 TechnoExpo, September 2004 4 University of California, Irvine (Administrative Computing Services) State Bill 1386 (State Law) “Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social security number Driver's license number or California Identification Card number. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. TechnoExpo, September 2004 5 University of California, Irvine (Administrative Computing Services) FERPA Family Educational Rights and Privacy Act Federal law that protects the privacy of student education records. Allows students to block access to their information or even existence. Contact the Registrar for info and procedures. TechnoExpo, September 2004 6 University of California, Irvine (Administrative Computing Services) HIPAA Health Insurance Portability and Accountability Act “Individually identifiable health information” is private and must be protected in any form or media, whether electronic, paper, or oral. Protect demographic data (i.e. name, address, birth date, Social Security Number) related to: the individual’s past, present or future physical or mental health or condition the provision of health care to the individual the past, present, or future payment for the provision of health care to the individual TechnoExpo, September 2004 7 University of California, Irvine (Administrative Computing Services) Campus Policies you must know You can find all policies at http://www.policies.uci.edu 714-11Guidelines for NACS Computer Usage 714-12 Office of Academic Computing Policy on Ownership and Rights of Access to Software and Data 714-14Copying Computer Programs 714-15 Policy on Access to University Administrative Information Systems 714-16Procedures for Accessing University Administrative Information Systems 714-17Using University Administrative Information Systems 714-18 Computer and Network Use Policy TechnoExpo, September 2004 8 University of California, Irvine (Administrative Computing Services) Using sensitive data in applications Getting necessary approvals: The Payroll/Personnel office or Human Resources must grant approval for access to private employee information The Registrar has a formal process for approving student data release TechnoExpo, September 2004 9 University of California, Irvine (Administrative Computing Services) Security Architecture Design The Security Architecture must facilitate: proper and efficient identification authentication authorization administration and auditability Identity management: uniqueness account management TechnoExpo, September 2004 10 University of California, Irvine (Administrative Computing Services) Security Architecture Design The Security Architecture also should: be flexible to support the introduction and/or integration of new technologies address and support multiple levels of protection, including database, network level, operating system, and application level security needs provide a modular approach to authentication, authorization, and accounting TechnoExpo, September 2004 11 University of California, Irvine (Administrative Computing Services) Security Architecture Design Other design considerations: Consider security during initial system design Minimize the number of security devices Delegate access control where appropriate Centralize security policy, maintenance operation and oversight functions Utilize Open Standards Assign Security levels consistently and at the lowest level of access required by the individual TechnoExpo, September 2004 12 University of California, Irvine (Administrative Computing Services) Authentication with WebAuth WebAuth is the campus single-signon authentication mechanism General information is available at http://www.nacs.uci.edu/help/webauth There is some additional info for Java programmers at http://snap.uci.edu/PortalDocs/webAuth/ssoWithWebAut h.html Single-Signon = Single-Signoff! Once a user logs off one WebAuth-enabled application, s/he should be logged off all others TechnoExpo, September 2004 13 University of California, Irvine (Administrative Computing Services) Authentication with WebAuth Understand different timeouts: Cookie age Local session timeout Logout: Do not use “backend” logouts, since they do not dispose of a cookie correctly; use HTTP redirects instead. Test your applications to make sure they reflect the logout as soon as it’s sent to WebAuth from this or any other application (even if there is a local session)! TechnoExpo, September 2004 14 University of California, Irvine (Administrative Computing Services) File and directory security risks Use operating system encryption capabilities to protect files with private data Make sure that Read/Write/Execute access on Files and Directories is correct Sensitive files (i.e. passwords, SSN) are not world readable and are not located in Web accessible directories or subdirectories Sensitive data such as passwords, SSN, account number is encrypted in files and/or databases Log files are not world readable (keep in mind that URL query strings from GET requests are logged to a file) TechnoExpo, September 2004 15 University of California, Irvine (Administrative Computing Services) Data modeling When designing database tables for an application, note that: Application must be able to deal with cross- references Campus_ID offers the greatest degree of flexibility when choosing a table key, as opposed to student ID or employee ID Social Security Number should never be used as a person key and should be avoided TechnoExpo, September 2004 16 University of California, Irvine (Administrative Computing Services) Storing sensitive data AVOID storing sensitive data if at all possible! If you have to store sensitive data: Encrypt table records and/or files that contain: password, SSN, home phone/address, credit card, bank account, California Driver's License, non-public student or employee data, or FERPA blocked student data Use encrypted transmission for data retrieval and modification Educate end users about the sensitivity of the data TechnoExpo, September 2004 17 University of California, Irvine (Administrative Computing Services) Storing sensitive data, cont’d Catalogue and inventory your use of personal data Make sure data is backed up: In the case data is compromised, use backups to notify affected individuals. TechnoExpo, September 2004 18 University of California, Irvine (Administrative Computing Services) Sensitive data in cookies and URLs Do NOT store sensitive data of any kind in cookies or URLs (GET requests are logged in web log files). Using WebAuth for authentication eliminates the need to invent an authentication mechanism (and store passwords in cookies ). Use non-persistent cookies (that disappear once a browser is closed) instead of persistent ones. TechnoExpo, September 2004 19 University of California, Irvine (Administrative Computing Services) Communication between distributed components Document how the data is used by each component Transmissions/exchanges of private information must be encrypted using protocols like: HTTPS SFTP SSH STunnel VPN: http://www.nacs.uci.edu/security/vpn.html Always use a POST method when your forms submit any private information TechnoExpo, September 2004 20 University of California, Irvine (Administrative Computing Services) Page Caching Be aware that pop-up windows with sensitive information may remain open even after logout Pages with sensitive data should not be cached: page content is easily accessed using browser’s history Use the following tags to disable page caching: <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Cache-Control" CONTENT=“no-store, no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1"> TechnoExpo, September 2004 21 University of California, Irvine (Administrative Computing Services) SQL Injection Attacks SQL Injection examples are outlined in: http://searchdatabase.techtarget.com/searchData base/downloads/sqlServerSecurity.pdf To prevent these hacks: Validate parameter types and values before inserting them into an SQL statement (never use raw parameter data for SQL) Test for these vulnerabilities as part of a functional test TechnoExpo, September 2004 22 University of California, Irvine (Administrative Computing Services) Code Reviews Employ peer code reviews to catch oversights More formal code reviews may be necessary for highly sensitive applications TechnoExpo, September 2004 23 University of California, Irvine (Administrative Computing Services) Summary Understand what constitutes private data Understand security and privacy regulations Avoid storing sensitive data if possible Encrypt private data in storage and communication Review data storage and code periodically Make sure there is a backup person for the security administrator TechnoExpo, September 2004 24 University of California, Irvine (Administrative Computing Services) Useful links UCOP IT security site: http://www.ucop.edu/irc/itsec/ NACS security site: http://www.nacs.uci.edu/security/index.html AdCom application security checklist: http://snap.uci.edu/viewXmlFile.jsp?xml=webpag es/xml/sdlc/checkListSecurityReview.xml TechnoExpo, September 2004 25 University of California, Irvine (Administrative Computing Services) Questions? TechnoExpo, September 2004 26