Transcript PowerPoint

Securing Your Web Application
and Database
June 9 – 10, 2016
Presenters: Garth Colasurdo, Nader Khalil, Tuan Bui
What we will cover today:
•
•
Why App/Database Security?
How-to: Development of (Secured) App/Database
o
o
•
Planning and Architecture
Mobile and Web-based App Security Points
How IT Can Help You…
Why App/Database Security?
Because…
•
There are bad people out there that
want to exploit your work for
personal gains.

Since November 2015 @ UNM:



559+ web vulnerabilities
(potential exploits exist)
12+ compromised websites
(forcibly taken over)
2 personal data incidents
(FERPA)
Because…
•
There are bad people out there that
want to exploit your work for
personal gains.

Since November 2015 @ UNM:



559+ web vulnerabilities
(potential exploits exist)
12+ compromised websites
(forcibly taken over)
2 personal data incidents
(FERPA)
How-to: Planning and Architecture
Planning and Architecture
Addressing Business Needs
Business
Needs
• New Vs. Existing
• Vendor Vs. In-house
• Cloud Vs. On-premise
User
Needs
Technical
Needs
Planning and Architecture
Technology Choices
•
•
•
•
Type of application
Type of developing tools
Type of hosting
Type of data to be collected
Planning and Architecture
Key Data Sensitivity
•
•
•
Type of data you may collect “directory information”
Do not collect information you do not need
Sharing information with other
Data Classification
•
•
•
E Class(encrypted): SSN(or part of it), Tax Information, student medical record
C Class(Confidential): GPA, Race, Gender
P Class(Public): Name, Address, Telephone listing
Planning and Architecture
Roles and Responsibilities
• Data Owners
•
Senior administrators --> ultimate authority and responsibility for the access, accuracy, classification, and security of the data within
their delegations of authority.
• Data Stewards
•
University officials who have direct operational-level authority and responsibility for the management of one or more types of
institutional data
• Data Custodian
•
Responsible for the operation and management of technology, systems, and servers that collect, store, process, manage, and provide
access to University data
• Data User
•
Authorized individuals -->to perform assigned duties or functions within the University.
Planning and Architecture
Policies
•
•
•
•
•
•
Acceptable Computer Use, UNM Policy 2500
Computer Security Controls and Access to Sensitive and Protected Information,
Credit Card Processing, UNM Policy 7215
Information Security, UNM Policy 2550
Social Security Numbers, UNM Policy 2030
Health Insurance Portability and Accountability Act (HIPPA)
Federal Law
• The Family Educational Rights and Privacy Act (FERPA)
Standards
• Data Classification
• Data Encryption
• Information Stewardship and Confidentiality
Planning and Architecture
Full Lifecycle Planning
•
•
•
•
•
•
Business Needs
Find a Solution
Security Assessment
Design
Implement
Support
How-to: Mobile or Web-based App
Security Points
<? php secure_database.always ?>
<protect.forms.no_injection.all>
xScriptHijack(this.page) {
xsite: false;
}
Start Here: www.owasp.org
https://www.owasp.org/index.php/Cheat_Sheets
Restricting Access
• Roles
•
•
Customer roles
Office roles
• Can you use CAS?
• Be very careful about local accounts
•
Not a business you want to be in
Server Configurations
•
•
•
•
Communication layer: SSL all the time
Source file access
File uploads from users
Error messages
Protecting Data
•
•
•
•
Credentials
Isolation
Transactions
Encryption
Coding Best Practices
• Frameworks and MVC
• Injection Protection
•
•
•
•
PDO SQL for PHP, SqlCommand() for .Net, createQuery() for Hibernate
Stored procedures in the database
White List input validation
Escape all user supplied input
• Session Control
•
Horizontal or vertical escalation of privilges
• Account for all error conditions
• Request a security assessment
Lifecycle
•
•
•
•
•
Updating
Patching
Monitoring
New features
Decommissioning
How IT Can Help You…
What We Do…
• Notify you of 0-day (newly discovered) technology vulnerabilities;
• Notify you of your websites’/applications’ (scanned)
vulnerabilities;
• Provide you with professional services to prevent small risks from
becoming big incidents.
(Some of) Our Services…
• Risk Assessment
• Vulnerability Mitigation
• Website/Application Development/Hardening
Contact Us…
@ help.unm.edu
505.277.5757
(ask for Miguel from Security)
Questions?
References
http://cedarvalleywebwerks.com/wp-content/uploads/Website-Securitybrowns.png
http://onechroniqueshow.com/wp-content/uploads/2014/11/cross.png
https://lh3.googleusercontent.com/-EyQnMLdOgE/VZMZLq5470I/AAAAAAAAQa4/Wjg7IQscadU/w256-h256/asher-neotuxg2%2B%25281%2529.png
http://all4hisglory.org/images/phone/doctor3.tux.png
http://www.crystalxp.net/news/img/306.png
http://www.scootys.com/easy_capture/images/tux-batman.png