200 likes | 415 Views
A Strategy…. For improving the security of Web and Internet applications. Nancy N. Soreide NOAA/PMEL. NOAA WebShop 2004 July 27-29, 2004, Philadelphia, PA. Creation of successful web pages is critical to supporting NOAA’s mission strategy to:.
E N D
A Strategy… For improving the security of Web and Internet applications Nancy N. SoreideNOAA/PMEL NOAA WebShop 2004July 27-29, 2004, Philadelphia, PA
Creation of successful web pages is critical to supporting NOAA’s mission strategy to: “Engage, advise, and inform individuals, partners, communities, and industries to facilitate information flow, assure coordination and cooperation, and provide assistance in the use, evaluation, and application of information” NOAA Strategic Plan, updated for FY2005-FY2010
NOAA projects are famous for interactive web pages that produce information and data as customized graphics, listings and animations of scientific data for the user. In fact, NOAA websites that present NOAA science, data, analysis and information in a manner that is clear, scientifically validated, useful, interesting and intelligible by a broad audience are critical to supporting NOAA in promoting “increased use and effectiveness of climate information for decision makers and managers” * *NOAA Strategic Plan, updated for FY2005-FY2010
High Technology Web and Internet Applications • Creation of effective and easily navigated web pages, for which NOAA is famous, requires that developers utilize high technology solutions: • Back-end Java applets • Common Gateway Interface (CGI) scripts • Database access methodologies • Content management products and solutions • Security considerations require that developers recognize and address potential vulnerabilities. • However, interactions between computer/network security specialists and developers have traditionally been minimal.
Who has the expertise to address application security issues? The expertise for developing secure web pages lies within NOAA’s skilled developer community.
Therefore… A strategic approach to improving Web and Internet application security within an organization… Must combine the efforts of skilled developers and IT security experts who manage computer and network security.
Developer ForumsBringing security staff and developers together • Objectives: • Raise security awareness within the organization’s IT community • Alert developers to security issues and potential vulnerabilities • Share technical expertise and solutions • Identify secure programming practices to minimize vulnerabilities • Initiate a dialog amongst developers and security experts • Make developers part of the IT security process • Security training
Developer Forums • Who should participate in the Forum? • Organization’s ITSO and CIO • Skilled Web and Internet application developers • Computer and network security experts • Any other interested staff • Programmers who may not be developing for the Internet or the Web, other interested technical staff, Project scientists, management, …
Developer Forums • Invited presentations from: • ITSO and CIO • to provide context on the magnitude and importance of web/internet security issues • Skilled Web and Internet application developers • secure programming in their area of expertise • Computer and network security experts • where applicable to the forum topics
Developer Forums • Forum focus topics: • General Internet/Web security issues • Common Gateway Interface (CGI) scripts • Database access from a web page • Secure PHP configuration and scripting • Generic, secure, feedback script to avoid email harvesting • Java and JavaScript • XML • Apache configuration and extensions • Multi-tiered applications that isolate web clients from primary databases
Developer Forums • Example: • Forum on Secure CGI programming • CIO and ITSO • established background and context • Developers made presentations: • Secure Perl CGI scripting • Secure PHP configuration and scripting • Wrapper utilities that eliminate the need to write perl or other scripts • Provided relevant references and Web Links • Door prizes: books on secure programming practices • Solicited ideas for future Forum topics Required that one representative from each Project within our organization attend this Forum
Developer Forums • Example: • Invited speaker from the NOAA CIRT (Diane Davidowicz) • Increased understanding of security experts concerns • Increased awareness of security incidents in NOAA • Underscored the importance of security to the organization • Stimulated interest in addressing potential vulnerabilities • Generated ideas about how security could be improved • Included developers in the IT security process Required that one representative from each Project within our organization attend this Forum
Developer Forums • How well have they worked? • Forums have raised awareness of IT security issues • Developers liked the Forums, and requested more on other topics • Developers felt they benefited from the interaction and technical dialog • Developers and security staff better understand one another’s concerns • Developers have initiated IT security improvements within their own projects • Developers and security staff are both involved in security process • At the organizational level, other OAR Senior IT managers requested our Forum web pages http://www.epic.noaa.gov/talks/nns/security/
Partnerships • Security issues extend beyond workstations, servers, desktop computers and networks, password and patch management, and other issues traditionally addressed by a computer support group. • Improved communication and a sense of partnership between the computer/networking specialists and programmers is key and critical to a secure IT environment with secure Web and Internet applications. • The Forums bring these two groups together and focuses them on a common goal. • Policy is easier to implement if IT security staff and developers are already engaged in partnerships and dialogs. • When developers are brought into the security process, security is built into applications from the beginning, improving the efficiency and effectiveness of the process.
A cooperative project: • Isolating the Web Server outside of the firewall • Content mirrored automatically from inside to outside firewall • Web applications access mirrored databases not primary database • Dedicated Web Server (no other applications) • No user login accounts on the Web Server • Reduces overhead, such as backups • Meets security needs without impacting developer productivity • Although laboratory security experts had been considering a migration towards an isolated web server… • The idea occurred independently to one of the Projects (after one of the Forums) … and they are already moving towards an implementation, in partnership with security staff, that will serve as a testbed for other Projects • Web Server isolation is being accomplished more quickly than would otherwise be possible, because developers and security staff both have ownership from the beginning of the process.
A future project: • Use a Layer 7 switching technology or product such as Cisco’s Local Director • Separates the IP address or URL from a specific piece of hardware • Supports an IP / URL with multiple backend web servers • Allows security patching without service interruption • Assures availability • Manages local load balancing
Summary • Web pages are critical to meeting NOAA’s strategic goal to “engage, advise, and inform individuals, partners, communities, and industries” • A strategy is needed to address the security of Web and Internet applications • Involving developers and IT security staff in dialog and partnerships is critical to securing NOAA Web and Internet applications