View
216
Download
0
Category
Tags:
Preview:
Citation preview
TechnoExpo, September 2004 1
University of California, Irvine
Security Awareness for Web Developers
Katya Sadovskykatya@uci.edu
Administrative Computing Services
TechnoExpo, September 2004 2
University of California, Irvine (Administrative Computing Services)
AgendaAgendaOverview of privacy regulationsSecurity architecture designAuthentication with WebAuthFile and directory security risksModeling and storing sensitive dataSensitive data in cookies and URLsCommunication between distributed componentsPeer Code Reviews
TechnoExpo, September 2004 3
University of California, Irvine (Administrative Computing Services)
End User SecurityEnd User SecuritySince developers also happen to be end users of
computing, topics covered in the “End User Security Awareness” session apply to attendees of this session as well.
Session materials are available at: http://apps.adcom.uci.edu/EnterpriseArch/PresentationsConferences/TechnoExpo2004EndUserSecurity.ppt
TechnoExpo, September 2004 4
University of California, Irvine (Administrative Computing Services)
Privacy regulationsPrivacy regulationsState Bill 1386 (State Law) Family Educational Rights and Privacy Act (FERPA)Health Insurance Portability and Accountability Act (HIP
AA)Digital Millennium Copyright ActFederal Trade Commission - Gramm
-Leach-Bliley Act on Customer PrivacyUSA Patriot Act of 2002
TechnoExpo, September 2004 5
University of California, Irvine (Administrative Computing Services)
State Bill 1386 (State Law)State Bill 1386 (State Law)“Personal information" means an individual's first name
or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
Social security numberDriver's license number or California Identification Card
number. Account number, credit or debit card number, in combination
with any required security code, access code, or password that would permit access to an individual's financial account.
TechnoExpo, September 2004 6
University of California, Irvine (Administrative Computing Services)
FERPAFERPAFamily Educational Rights and Privacy ActFederal law that protects the privacy of student
education records.Allows students to block access to their
information or even existence. Contact the Registrar for info and procedures.
TechnoExpo, September 2004 7
University of California, Irvine (Administrative Computing Services)
HIPAAHIPAAHealth Insurance Portability and Accountability Act “Individually identifiable health information” is private and
must be protected in any form or media, whether electronic, paper, or oral.
Protect demographic data (i.e. name, address, birth date, Social Security Number) related to:
the individual’s past, present or future physical or mental health or condition
the provision of health care to the individualthe past, present, or future payment for the provision of health
care to the individual
TechnoExpo, September 2004 8
University of California, Irvine (Administrative Computing Services)
Campus Policies you must know
Campus Policies you must know
You can find all policies at http://www.policies.uci.edu714-11Guidelines for NACS Computer Usage714-12 Office of Academic Computing Policy on Ownership and
Rights of Access to Software and Data714-14Copying Computer Programs714-15 Policy on Access to University Administrative Information
Systems714-16Procedures for Accessing University Administrative
Information Systems714-17Using University Administrative Information Systems714-18 Computer and Network Use Policy
TechnoExpo, September 2004 9
University of California, Irvine (Administrative Computing Services)
Using sensitive data in applications
Using sensitive data in applications
Getting necessary approvals:The Payroll/Personnel office or Human Resources
must grant approval for access to private employee information
The Registrar has a formal process for approving student data release
TechnoExpo, September 2004 10
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
Security Architecture Design
The Security Architecture must facilitate:proper and efficient identificationauthenticationauthorizationadministration and auditabilityIdentity management:
uniquenessaccount management
TechnoExpo, September 2004 11
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
Security Architecture Design
The Security Architecture also should:be flexible to support the introduction and/or
integration of new technologies address and support multiple levels of protection,
including database, network level, operating system, and application level security needs
provide a modular approach to authentication, authorization, and accounting
TechnoExpo, September 2004 12
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
Security Architecture Design
Other design considerations:Consider security during initial system designMinimize the number of security devices Delegate access control where appropriate Centralize security policy, maintenance operation
and oversight functions Utilize Open Standards Assign Security levels consistently and at the lowest
level of access required by the individual
TechnoExpo, September 2004 13
University of California, Irvine (Administrative Computing Services)
Authentication with WebAuth
Authentication with WebAuth
WebAuth is the campus single-signon authentication mechanism
General information is available at http://www.nacs.uci.edu/help/webauth
There is some additional info for Java programmers at http://snap.uci.edu/PortalDocs/webAuth/ssoWithWebAuth.html
Single-Signon = Single-Signoff!Once a user logs off one WebAuth-enabled application, s/he
should be logged off all others
TechnoExpo, September 2004 14
University of California, Irvine (Administrative Computing Services)
Authentication with WebAuth
Authentication with WebAuth
Understand different timeouts:Cookie ageLocal session timeout
Logout:Do not use “backend” logouts, since they do not dispose of a
cookie correctly; use HTTP redirects instead.Test your applications to make sure they reflect the logout as
soon as it’s sent to WebAuth from this or any other application (even if there is a local session)!
TechnoExpo, September 2004 15
University of California, Irvine (Administrative Computing Services)
File and directory security risks
File and directory security risks
Use operating system encryption capabilities to protect files with private data
Make sure that Read/Write/Execute access on Files and Directories is correct Sensitive files (i.e. passwords, SSN) are not world readable
and are not located in Web accessible directories or sub-directories
Sensitive data such as passwords, SSN, account number is encrypted in files and/or databases
Log files are not world readable (keep in mind that URL query strings from GET requests are logged to a file)
TechnoExpo, September 2004 16
University of California, Irvine (Administrative Computing Services)
Data modelingData modelingWhen designing database tables for an
application, note that:Application must be able to deal with cross-
referencesCampus_ID offers the greatest degree of flexibility
when choosing a table key, as opposed to student ID or employee ID
Social Security Number should never be used as a person key and should be avoided
TechnoExpo, September 2004 17
University of California, Irvine (Administrative Computing Services)
Storing sensitive dataStoring sensitive dataAVOID storing sensitive data if at all possible!If you have to store sensitive data:
Encrypt table records and/or files that contain: password, SSN, home phone/address, credit card, bank
account, California Driver's License, non-public student or employee data, or FERPA blocked student data
Use encrypted transmission for data retrieval and modification
Educate end users about the sensitivity of the data
TechnoExpo, September 2004 18
University of California, Irvine (Administrative Computing Services)
Storing sensitive data, cont’d
Storing sensitive data, cont’d
Catalogue and inventory your use of personal dataMake sure data is backed up:
In the case data is compromised, use backups to notify affected individuals.
TechnoExpo, September 2004 19
University of California, Irvine (Administrative Computing Services)
Sensitive data in cookies and URLs
Sensitive data in cookies and URLs
Do NOT store sensitive data of any kind in cookies or URLs (GET requests are logged in web log files).
Using WebAuth for authentication eliminates the need to invent an authentication mechanism (and store passwords in cookies ).
Use non-persistent cookies (that disappear once a browser is closed) instead of persistent ones.
TechnoExpo, September 2004 20
University of California, Irvine (Administrative Computing Services)
Communication between distributed components
Communication between distributed components
Document how the data is used by each componentTransmissions/exchanges of private information must be
encrypted using protocols like:HTTPSSFTPSSHSTunnelVPN: http://www.nacs.uci.edu/security/vpn.html
Always use a POST method when your forms submit any private information
TechnoExpo, September 2004 21
University of California, Irvine (Administrative Computing Services)
Page CachingPage CachingBe aware that pop-up windows with sensitive information
may remain open even after logoutPages with sensitive data should not be cached: page
content is easily accessed using browser’s historyUse the following tags to disable page caching:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Cache-Control" CONTENT=“no-store, no-cache"><META HTTP-EQUIV="Expires" CONTENT="-1">
TechnoExpo, September 2004 22
University of California, Irvine (Administrative Computing Services)
SQL Injection AttacksSQL Injection AttacksSQL Injection examples are outlined in:
http://searchdatabase.techtarget.com/searchDatabase/downloads/sqlServerSecurity.pdf
To prevent these hacks:Validate parameter types and values before inserting
them into an SQL statement (never use raw parameter data for SQL)
Test for these vulnerabilities as part of a functional test
TechnoExpo, September 2004 23
University of California, Irvine (Administrative Computing Services)
Code ReviewsCode ReviewsEmploy peer code reviews to catch oversightsMore formal code reviews may be necessary for
highly sensitive applications
TechnoExpo, September 2004 24
University of California, Irvine (Administrative Computing Services)
SummarySummaryUnderstand what constitutes private dataUnderstand security and privacy regulationsAvoid storing sensitive data if possibleEncrypt private data in storage and
communicationReview data storage and code periodicallyMake sure there is a backup person for the
security administrator
TechnoExpo, September 2004 25
University of California, Irvine (Administrative Computing Services)
Useful linksUseful linksUCOP IT security site:
http://www.ucop.edu/irc/itsec/ NACS security site:
http://www.nacs.uci.edu/security/index.htmlAdCom application security checklist:
http://snap.uci.edu/viewXmlFile.jsp?xml=webpages/xml/sdlc/checkListSecurityReview.xml
Recommended