1 / 25

IT SECURITY AT UCLA: TOOLS AND RESOURCES AT YOUR DISPOSAL

IT SECURITY AT UCLA: TOOLS AND RESOURCES AT YOUR DISPOSAL. Information Security Office UCLA IT Services. Alex M. Podobas. Topics. I. IT Security at UCLA : A Brief Overview II. What is AppScan? (...and I care why, exactly?) III. Using AppScan in the Software Development Life Cycle

alma
Download Presentation

IT SECURITY AT UCLA: TOOLS AND RESOURCES AT YOUR DISPOSAL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IT SECURITY AT UCLA: TOOLS AND RESOURCES AT YOUR DISPOSAL Information Security Office UCLA IT Services Alex M. Podobas

  2. Topics • I. IT Security at UCLA : A Brief Overview • II. What is AppScan? (...and I care why, exactly?) • III. Using AppScan in the Software Development Life Cycle • IV. Making the Case for: Using AppScan to Test Third-Party “Community-Supplied” Additions

  3. I. UCLA IT Security Office What’s Our Role In This?

  4. I. IT Security at UCLA: An Overview • The IT Security Office operates from UCLA IT Services. • It is responsible for information security practices, technology, and policies across non-medical units at UCLA. • A big part of our strategy is making available not only stellar, industry-standard testing tools but also in promoting their use through public talks and pragmatic education resources

  5. So What, Though? Web apps at UCLA do business in two currencies: money and information. And very often, in both. A central premise is that we at UCLA deal in information. Users must, and expect to, trust the many sources of information that the University makes available.

  6. II. What is AppScan? • An overview

  7. II. What is AppScan? • AppScan is a vulnerability assessment tool • Provided by IBM and licensed by the IT Security Office. We provide it for free to campus departments and encourage its frequent use (we'll get to that in a minute) • AppScan allows you to run it against websites, web applications, and their backend features and evaluate their existent security measures against most known vulnerabilities.

  8. II. What is AppScan? – Made Easy to Use • Accessed from the web browser. Absolutely nothing to install, configure, or set up. • Easy-to-use user interface. • Excellent IBM training reference guides. • Ability to assign custom-made security policies to groups, and assign users to groups. This is a very popular and well-used feature for campus web devs.

  9. II. What is AppScan? Fully managed by IT Security Office Support, Training, and Vulnerability Mitigation Advice • This is anything but an unsupported campus product. We manage it, issue and manage accounts, and create group policies. • IT Security is always willing to: • Provide customized, one-on-one, and group sessions training for potential or current AppScan users. • Help interpret AppScan reports and provide suggestions.

  10. II. What is AppScan? – Generated Reports • AppScan auto-generates readable reports of all potential security issues that were found in the last performed scan. • The level of detail is great. • View vulnerability type by code line • Detailed vulnerability explanation • Suggested mitigation measures

  11. III. AppScan and the Web App SDLC No one and no one’s affiliated group or department wants to end up on the front page of the Daily Bruin or the L.A. Times.

  12. III. Making the Case: • AppScan in Web App Development and the SDLC • (“Software Development Life Cycle”)

  13. III. AppScan and the SDLC • Security itself can be an abstract concept and, unfortunately, many who work in web regard it as an afterthought. • In the context of information security, AppScan is not a cure-all solution (for example, it won’t solve poor framework design decisions), but it can certainly assist identifying potential vulnerabilities

  14. Key Advantages • AppScan detects: • Embedded malware • Cross-Site Request Forgery • Weak password requirements • Unsecured login forms • Session management errors • Input validation (HTML, injection, SQL injection and XSS attacks) • Parameter manipulation (for cookie and hidden field attacks) • Compliance reports for HIPAA, PCI, GLB

  15. III. AppScan and the SDLC – Advantages AppScan’s Advantages • Use it as a tool to validate that your application is functioning properly. Security is a major part of this because insecure web apps don't serve their purpose of being reliable sources of information. • Killing two birds with one stone: testing application functionality in part by testing its security. For example, use AppScan to see if a form with inputs that communicates with a backend database is working properly. This tests an application's logic integrity (more compelling for the developer) and also gives real-time feedback.

  16. III. AppScan and the SDLC – Advantages AppScan’s Advantages • When you make any change (be it to code, the underlying database, or your backend hosting system), you immediately invalidate the results of prior security tests, including AppScan tests. Make it part of the SDLC routine. • This is expensive in terms of time because taking the time to run AppScan only once, when changes are then made after, becomes a waste of time and yields invalid results.

  17. III. AppScan and the SDLC – Considerations AppScan Considerations • AppScan is incredibly invasive. It can inject bad SQL data and even cause DoS (Denial of Service). • It can cause dramatic performance reductions (including lower read/write database speeds and script processing). • Therefore, we stronglyrecommend testing your web apps in a sandbox, outside of a production web server environment.

  18. IV. Making the Case: • AppScan and Third-Party, “Community Supplied” Software

  19. IV. AppScan and Third-Party Software • We live in a web where free additions to platforms are readily available, easy to obtain, and easy to install. • Free plugins, add-ons and enhancements are part of ever-growing marketplaces for products like WordPress, Joomla, Plone, and yum for RPM systems (Fedora, CentOS), among many others

  20. IV. AppScan and Third-Party Software Human nature has a tendency to trust, especially when a trusted source makes available software under its name. In each of these examples below, the name lends a false allure of credence to the third-party software: • "WordPress Plugin" • "Joomla Extension" • "Plone Add-On" • "jQuery plugin"

  21. IV. AppScan and Third-Party Software Example 1: Joomla’s Official “Vulnerable Extensions List” http://docs.joomla.org/Vulnerable_Extensions_List • A prolific list of approximately 164 Joomla extensions with known exploits • These are largely comprised of XSS, file upload, and SQL injection issues. The very vulnerabilities that AppScan is so adept at catching.

  22. IV. AppScan and Third-Party Software Example 2: Secunia’s WordPress Vulnerability Records http://secunia.com/advisories/product/SOFT_W/#list • Secunia is a reputable European security firm, based in Denmark. Like Sophos, it also maintains a public-facing record of WordPress plugin vulnerabilities. • These are largely comprised of XSS, file upload, and SQL injection issues. The very vulnerabilities that AppScan is so adept at catching.

  23. IV. AppScan and Third-Party Software Don’t Blindly Trust Community-Supplied Software • A common assumption is that plugins obtained from a source like WordPress, Plone, or Joomla are also safe. This is a risky approach and increases the risk of your web application becoming compromised. • You simply can never be sure that the third-party software, or the unique combination of plugins you use together, has been vetted for security. These are an often overlooked attack vector.

  24. Getting Aboard I want to use it! What do I do? • Visit itsecurity.ucla.edu/appscan • View a product summary, this presentation, and a contact form. Fill that out to get started. We will handle issuing you an account, creating group policies, set up a training session, and whatever you need to get started with AppScan.

  25. Last But Not Least…Let’s Follow Up Follow and Keep Up With UCLA IT Security

More Related