Main Nav

I recently talked web application security with one of my guys. He would like a clear policy.

 

Right now, I have no prescriptive policy, just guidance that the developer must be well-educated in general security practices and be prepared to apply them as needed. On the training end, I’ve recently had my team sit down for a series of web application security videos over Pluralsight.

 

I also have some well-understood general expectations, like the application must use HTTPS or other secured connections if anything sensitive is transmitted. Outside that, given the wide variety of situations—application types, functionality, scenarios, other systems they work with, etc.—I cannot imagine a clean prescriptive policy.

 

How have you approached this?

 

Aren Cambre, '99, '03
Team Lead, Web Technologies Team
Office of Information Technology
Southern Methodist University

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

AttachmentSize
image001.gif2.62 KB

Comments

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, as a web application security specialist and chapter leader in OWASP I'm extremely invested in this topic. Although I think in principle developer training is important, a number of studies, including ones by White Hat Security and the Denimn Group (https://www.youtube.com/watch?v=jUOecoGGA2g&list=PLpr-xdpM8wG8ODR2zWs06J...) seem to indicate that the impact of developer training is lower than expected. Instead of training, it is much more effective to insist that developers utilize platforms and frameworks that take the job of security away from the developer and instead bake countermeasures into the code. Systems like Drupal, Symfony2, Django, Zend Framework, etc. take care of vulnerabilities like XSS, XSRF and SQL injection without the developer having to do anything special. Be careful though, because not all frameworks are equal. For instance, CodeIgniter has security countermeasures, but they're not enabled by default which defeats the purpose (again, the developer has to understand security and apply controls). Similarly, some frameworks haven't withstood extensive security scrutiny, such as Ruby on Rails. Insist that custom web applications use frameworks with a proven security track record. Using a robust framework with a complete security lifecycle (patches and updates released over time that can be easily applied to applications), and dedicated security team, will ensure that future vulnerabilities are addressed as well. Standardizing on a set of supported frameworks will also ensure that you have expertise in-house to support applications after they're deployed. If you're looking for general guides, the OWASP Cheat Sheet (https://www.owasp.org/index.php/Cheat_Sheets) documents are excellent. As a direct answer to your question, at School of Arts & Sciences at Penn we insist custom apps be developed either in Drupal or Symfony2 framework and we provide full lifecycle support including manual code review and upgrades. We publish our Drupal security requirements online (http://www.sas.upenn.edu/computing/drupal-security). So far this approach has lead to a dramatic reduction in web application security incidents, extended our capability to support advanced functionality, and cut down on maintenance overhead dramatically. Cheers, Justin C. Klein Keane, MA MCIT Security Engineer University of Pennsylvania, School of Arts & Sciences The PGP signature on this mail can be verified using the public key at https://sites.sas.upenn.edu/kleinkeane
Thank you. This is helpful. I didn't think about using a framework. Aren -----Original Message----- From: The EDUCAUSE Web Administrators Constituent Group Listserv [mailto:WEB@LISTSERV.EDUCAUSE.EDU] On Behalf Of Justin C. Klein Keane Sent: Tuesday, February 18, 2014 12:32 PM To: WEB@LISTSERV.EDUCAUSE.EDU Subject: Re: [WEB] Policies on security for custom-developed web apps -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, as a web application security specialist and chapter leader in OWASP I'm extremely invested in this topic. Although I think in principle developer training is important, a number of studies, including ones by White Hat Security and the Denimn Group (https://www.youtube.com/watch?v=jUOecoGGA2g&list=PLpr-xdpM8wG8ODR2zWs06J...) seem to indicate that the impact of developer training is lower than expected. Instead of training, it is much more effective to insist that developers utilize platforms and frameworks that take the job of security away from the developer and instead bake countermeasures into the code. Systems like Drupal, Symfony2, Django, Zend Framework, etc. take care of vulnerabilities like XSS, XSRF and SQL injection without the developer having to do anything special. Be careful though, because not all frameworks are equal. For instance, CodeIgniter has security countermeasures, but they're not enabled by default which defeats the purpose (again, the developer has to understand security and apply controls). Similarly, some frameworks haven't withstood extensive security scrutiny, such as Ruby on Rails. Insist that custom web applications use frameworks with a proven security track record. Using a robust framework with a complete security lifecycle (patches and updates released over time that can be easily applied to applications), and dedicated security team, will ensure that future vulnerabilities are addressed as well. Standardizing on a set of supported frameworks will also ensure that you have expertise in-house to support applications after they're deployed. If you're looking for general guides, the OWASP Cheat Sheet (https://www.owasp.org/index.php/Cheat_Sheets) documents are excellent. As a direct answer to your question, at School of Arts & Sciences at Penn we insist custom apps be developed either in Drupal or Symfony2 framework and we provide full lifecycle support including manual code review and upgrades. We publish our Drupal security requirements online (http://www.sas.upenn.edu/computing/drupal-security). So far this approach has lead to a dramatic reduction in web application security incidents, extended our capability to support advanced functionality, and cut down on maintenance overhead dramatically. Cheers, Justin C. Klein Keane, MA MCIT Security Engineer University of Pennsylvania, School of Arts & Sciences The PGP signature on this mail can be verified using the public key at https://sites.sas.upenn.edu/kleinkeane
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.