University of California, Irvine Security Awareness for Web Developers Katya Sadovsky [email protected] Administrative Computing Services TechnoExpo, September 2004

Report
University of California, Irvine
Security Awareness for Web
Developers
Katya Sadovsky
[email protected]
Administrative Computing Services
TechnoExpo, September 2004
1
University of California, Irvine (Administrative Computing Services)
Agenda
Overview of
privacy regulations
Security architecture design
Authentication with WebAuth
File and directory security risks
Modeling and storing sensitive data
Sensitive data in cookies and URLs
Communication between distributed components
Peer Code Reviews
TechnoExpo, September 2004
2
University of California, Irvine (Administrative Computing Services)
End User Security
Since developers also happen
to be end users of
computing, topics covered in the “End User
Security Awareness” session apply to attendees
of this session as well.
Session materials are available at:
http://apps.adcom.uci.edu/EnterpriseArch/Presen
tationsConferences/TechnoExpo2004EndUserSe
curity.ppt
TechnoExpo, September 2004
3
University of California, Irvine (Administrative Computing Services)
Privacy regulations
 State
Bill 1386 (State Law)
 Family Educational Rights and Privacy Act (FERPA)
 Health Insurance Portability and Accountability Act
(HIPAA)
 Digital Millennium Copyright Act
 Federal Trade Commission - Gramm-Leach-Bliley Act on
Customer Privacy
 USA Patriot Act of 2002
TechnoExpo, September 2004
4
University of California, Irvine (Administrative Computing Services)
State Bill 1386 (State Law)
 “Personal
information" means an individual's first name
or first initial and last name in combination with any one
or more of the following data elements, when either the
name or the data elements are not encrypted:
 Social
security number
 Driver's license number or California Identification Card
number.
 Account number, credit or debit card number, in combination
with any required security code, access code, or password
that would permit access to an individual's financial account.
TechnoExpo, September 2004
5
University of California, Irvine (Administrative Computing Services)
FERPA
Family Educational Rights
and Privacy Act
Federal law that protects the privacy of student
education records.
Allows students to block access to their
information or even existence.
Contact the Registrar for info and procedures.
TechnoExpo, September 2004
6
University of California, Irvine (Administrative Computing Services)
HIPAA
 Health
Insurance Portability and Accountability Act
 “Individually identifiable health information” is private and
must be protected in any form or media, whether
electronic, paper, or oral.
 Protect demographic data (i.e. name, address, birth
date, Social Security Number) related to:
 the
individual’s past, present or future physical or mental
health or condition
 the provision of health care to the individual
 the past, present, or future payment for the provision of health
care to the individual
TechnoExpo, September 2004
7
University of California, Irvine (Administrative Computing Services)
Campus Policies you must know
 You
can find all policies at http://www.policies.uci.edu
 714-11Guidelines for NACS Computer Usage
 714-12 Office of Academic Computing Policy on Ownership and
Rights of Access to Software and Data
 714-14Copying Computer Programs
 714-15 Policy on Access to University Administrative Information
Systems
 714-16Procedures for Accessing University Administrative
Information Systems
 714-17Using University Administrative Information Systems
 714-18 Computer and Network Use Policy
TechnoExpo, September 2004
8
University of California, Irvine (Administrative Computing Services)
Using sensitive data in applications
Getting necessary approvals:
The
Payroll/Personnel office or Human Resources
must grant approval for access to private employee
information
The Registrar has a formal process for approving
student data release
TechnoExpo, September 2004
9
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
The Security Architecture must facilitate:
proper
and efficient identification
authentication
authorization
administration and auditability
Identity management:
 uniqueness
 account
management
TechnoExpo, September 2004
10
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
The Security Architecture also should:
be
flexible to support the introduction and/or
integration of new technologies
address and support multiple levels of protection,
including database, network level, operating system,
and application level security needs
provide a modular approach to authentication,
authorization, and accounting
TechnoExpo, September 2004
11
University of California, Irvine (Administrative Computing Services)
Security Architecture Design
Other design
considerations:
Consider
security during initial system design
Minimize the number of security devices
Delegate access control where appropriate
Centralize security policy, maintenance operation and
oversight functions
Utilize Open Standards
Assign Security levels consistently and at the lowest
level of access required by the individual
TechnoExpo, September 2004
12
University of California, Irvine (Administrative Computing Services)
Authentication with WebAuth
 WebAuth
is the campus single-signon authentication
mechanism
 General information is available at
http://www.nacs.uci.edu/help/webauth
 There is some additional info for Java programmers at
http://snap.uci.edu/PortalDocs/webAuth/ssoWithWebAut
h.html
 Single-Signon = Single-Signoff!
 Once
a user logs off one WebAuth-enabled application, s/he
should be logged off all others
TechnoExpo, September 2004
13
University of California, Irvine (Administrative Computing Services)
Authentication with WebAuth
 Understand
different timeouts:
 Cookie
age
 Local session timeout
 Logout:
 Do
not use “backend” logouts, since they do not dispose of a
cookie correctly; use HTTP redirects instead.
 Test your applications to make sure they reflect the logout as
soon as it’s sent to WebAuth from this or any other application
(even if there is a local session)!
TechnoExpo, September 2004
14
University of California, Irvine (Administrative Computing Services)
File and directory security risks
 Use
operating system encryption capabilities to protect
files with private data
 Make sure that
 Read/Write/Execute
access on Files and Directories is correct
 Sensitive files (i.e. passwords, SSN) are not world readable
and are not located in Web accessible directories or subdirectories
 Sensitive data such as passwords, SSN, account number is
encrypted in files and/or databases
 Log files are not world readable (keep in mind that URL query
strings from GET requests are logged to a file)
TechnoExpo, September 2004
15
University of California, Irvine (Administrative Computing Services)
Data modeling
When designing database tables for an
application, note that:
Application
must be able to deal with cross-
references
Campus_ID offers the greatest degree of flexibility
when choosing a table key, as opposed to student ID
or employee ID
Social Security Number should never be used as a
person key and should be avoided
TechnoExpo, September 2004
16
University of California, Irvine (Administrative Computing Services)
Storing sensitive data
AVOID storing sensitive data if
at all possible!
If you have to store sensitive data:
Encrypt
table records and/or files that contain:
 password,
SSN, home phone/address, credit card, bank
account, California Driver's License, non-public student or
employee data, or FERPA blocked student data
Use
encrypted transmission for data retrieval and
modification
Educate end users about the sensitivity of the data
TechnoExpo, September 2004
17
University of California, Irvine (Administrative Computing Services)
Storing sensitive data, cont’d
Catalogue
and inventory your use of personal data
Make sure data is backed up:
 In
the case data is compromised, use backups to notify
affected individuals.
TechnoExpo, September 2004
18
University of California, Irvine (Administrative Computing Services)
Sensitive data in cookies and URLs
Do
NOT store sensitive data of any kind in
cookies or URLs (GET requests are logged in
web log files).
Using WebAuth for authentication eliminates the
need to invent an authentication mechanism (and
store passwords in cookies ).
Use non-persistent cookies (that disappear once
a browser is closed) instead of persistent ones.
TechnoExpo, September 2004
19
University of California, Irvine (Administrative Computing Services)
Communication between distributed components
 Document
how the data is used by each component
 Transmissions/exchanges of private information must be
encrypted using protocols like:
 HTTPS
 SFTP
 SSH
 STunnel
 VPN:
http://www.nacs.uci.edu/security/vpn.html
 Always
use a POST method when your forms submit
any private information
TechnoExpo, September 2004
20
University of California, Irvine (Administrative Computing Services)
Page Caching
 Be
aware that pop-up windows with sensitive information
may remain open even after logout
 Pages with sensitive data should not be cached: page
content is easily accessed using browser’s history
 Use the following tags to disable page caching:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT=“no-store, no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
TechnoExpo, September 2004
21
University of California, Irvine (Administrative Computing Services)
SQL Injection Attacks
SQL Injection examples are
outlined in:
http://searchdatabase.techtarget.com/searchData
base/downloads/sqlServerSecurity.pdf
To prevent these hacks:
Validate
parameter types and values before inserting
them into an SQL statement (never use raw
parameter data for SQL)
Test for these vulnerabilities as part of a functional
test
TechnoExpo, September 2004
22
University of California, Irvine (Administrative Computing Services)
Code Reviews
Employ
peer code reviews to catch oversights
More formal code reviews may be necessary for
highly sensitive applications
TechnoExpo, September 2004
23
University of California, Irvine (Administrative Computing Services)
Summary
Understand what
constitutes private data
Understand security and privacy regulations
Avoid storing sensitive data if possible
Encrypt private data in storage and
communication
Review data storage and code periodically
Make sure there is a backup person for the
security administrator
TechnoExpo, September 2004
24
University of California, Irvine (Administrative Computing Services)
Useful links
UCOP IT security site:
http://www.ucop.edu/irc/itsec/
NACS security site:
http://www.nacs.uci.edu/security/index.html
AdCom application security checklist:
http://snap.uci.edu/viewXmlFile.jsp?xml=webpag
es/xml/sdlc/checkListSecurityReview.xml
TechnoExpo, September 2004
25
University of California, Irvine (Administrative Computing Services)
Questions?
TechnoExpo, September 2004
26

similar documents