1 / 17

Secure eGovernment Services

Improve Security through Process. Secure eGovernment Services. Ira Miller Internet Technology Services Supervisor ITSD/DOA State of Montana. Recent Security News. Twitter.com Cross Site Scripting (XSS) attack hits over 500k users in one day (9/21) ASP.NET Information disclosure bug (9/18)

gaia
Download Presentation

Secure eGovernment Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improve Security through Process Secure eGovernment Services

  2. Ira Miller Internet Technology Services Supervisor ITSD/DOA State of Montana

  3. Recent Security News • Twitter.com Cross Site Scripting (XSS) attack hits over 500k users in one day (9/21) • ASP.NET Information disclosure bug (9/18) • ASPROX SQL Injection • 1 in 5 College Students HaveSuccessfully Hacked a System • It only takes one vulnerability…

  4. What Makes an App Secure? • Is it the development languages used? • Server platform or tools? • Developer skill? • Luck?

  5. Scenario • New exploit is discovered for your app • The vulnerable application has 3 major components on 3 different servers • It is Saturday morning • Only one developer can be reached…

  6. Scenario – Not If, When. • How do we fix the problem? • Does every developer know how to properly patch the application? • How do we ensure the fix doesn’t make things worse? • How does a fix get deployed? • How do we keep ourselves out of this mess in the first place?

  7. Success Through Process • Any developer can patch the application if it follows the standards they use every day • Source Control • Documentation • Automated builds ensure the code is ready • Unit Testing • Static Code Analysis • Security Testing • One Click Deployment

  8. It does not matter how trendy, fast or powerful a web application is when it takes your arm off

  9. Add Security to Your Process • Application Design • Development • Testing Source Code • Application Firewalls • Monitoring

  10. Application Design • Best place to influence security of a system • Understand the risks, plan for them • Consider security risks for each piece of an application

  11. Development • Source Control • Forms a history documenting the development of a system • Continuous Integration • Source code Is checked with each commit • Problems Are Found Early • Quality Is Re-Enforced

  12. boolshowControls=true; voidShowAdminControls() { CheckAdminAccess(); if(showControls) ShowAdminControls(); } voidCheckAdminAccess() { try { varuser=LoadUserFromDatabase(); showControls=CheckForAdminRights(user); } catch(Exceptionerror) { LogError(error); // uh-oh, better track this } }

  13. Testing • Unit Testing • Ensures new code does not break old • Shows which features are working and which are incomplete • Security Tools • Audit source code for common vulnerabilities • Attackers use them to find weaknesses every day • Automate for Each Release and Annually

  14. Application Firewall • Perimeter defense • Applies to all applications • Great inspection point for monitoring • Can buy you time when a new attack surfaces

  15. Monitoring • Build reports • Application error messages • Firewall logs • User trouble tickets • Security blogs

  16. Summary • Building a Web Application is Hard • Security Can Be Improved By Integrating With Your Processes • Monitor Your Applications to Ensure Your Process is Working

  17. Questions?

More Related