The ever-expanding number of mobile users running web apps has raised the profile of the IT security staff at Chapman University in Orange, Calif. Today, students use web browsers on mobile devices to access event calendars, check bus schedules, view grades, read assignments and participate in discussions.
Todd Plesco, the university’s director of information security, says IT security’s role will only expand as the college deploys a web-based version of Oracle PeopleSoft. The new enterprise, resource and planning system lets faculty and staff access human resources, finance and student record information via web browsers.
Keeping these web apps secure requires multiple layers of defense, and Plesco says penetration testing serves as the first layer. The IT staff also bolsters security with Fortinet’s FortiGate web application firewall, a product that complements the university’s mix of Fortinet firewalls for its existing network.
“We know that as we add more web applications, we will have to step up security. We’re taking it one step at a time,” Plesco says, adding that while penetration testing is still done manually, the university may switch to a commercial tool sometime soon.
Jeff Wilson, principal analyst with Infonetics Research, says there are many reasons why colleges and universities should make securing web applications a top priority. Mobile versions of web apps are yet another stream of code that must be maintained, managed and checked for vulnerabilities.
“Custom code, or simply poor coding that leaves vulnerabilities in the code during development, can cause real security problems,” Wilson says.
“If you have the right tools and can get at the code to fix the problems, you’ll be in pretty good shape. But if you don’t have access to the code because the application was outsourced or built on a platform where you are at the mercy of the platform developer, it’s more difficult to find and fix vulnerabilities,” he adds.
At Carnegie Mellon University in Pittsburgh, development and testing of web applications takes place campuswide.
The percentage of web applications that are vulnerable to an injection attack, where internal databases are accessed through a website
SOURCE: 2011 Top Cyber Security Risks Report (HP)
“We have IT shops all over campus delivering web-based applications using different technology and tools,” explains Mary Ann Blair, the university’s director of information security.
Because app development is widely distributed across campus, Blair’s staff focuses on publishing security guidelines, providing design consulting and review, hosting training opportunities and conducting penetration testing.
“The goal is to ensure that campus developers are equipped to deploy web apps that can defend against common attacks such as SQL injection, cross-site scripting and cross-site request forgery,” Blair adds.
Tools of the App Security Trade
There are several possible tools that colleges and universities can use to ensure the security of their web apps, including penetration testing and web application firewalls.
Penetration testing tools, such as IBM Rational AppScan and Tenable Network Security’s Nessus ProfessionalFeed, actively try to find vulnerabilities in web apps caused by problems such as cross-site scripting and SQL injection. They work by simulating the methods real attackers might use, but without actually damaging the web application. Typical features of these tools include both static and dynamic testing, content audits (for example, for adult content and personally identifiable information), and the ability to pinpoint specific lines of code causing problems. They are also used for compliance auditing.
Web application firewalls are just that: firewalls that protect web applications. Marketed by providers such as Fortinet, Barracuda Networks, F5 Networks, WatchGuard Technologies and Imperva, these products block threats such as cross-site scripting, SQL injection, buffer overflows and denial of service cookie poisoning. They can also help organizations comply with the Payment Card Industry Data Security Standard. Other features include load balancing and Secure Sockets Layer offloading and acceleration.
Although these tools are invaluable, there is also great value in old-fashioned ingenuity, says Jeff Wilson, principal analyst at Infonetics.
“Whatever investment you make in web application security, there will still be bugs you miss,” he says. “Consider trying the crowdsourcing approach, like Google does. They pay a bounty to anyone who finds bugs in their code.”