Berea City School District in Ohio has kept web apps secure for years, but as the district delivers more of its curriculum online, security has become a top priority.
The focus on web app security started seven years ago, when the 7,300-student district installed its first Barracuda Networks 300 spam and virus firewall. Not long after that, the district added a Barracuda Web Filter 410, which supports 800 concurrent users and 80 megabit-per-second throughput, while performing virus and spyware detection and elimination.
Kevin Jaynes, the district’s technology director, says the Barracuda gear helps him manage web applications in a way that’s flexible enough to easily add security exceptions so that certain sites are prohibited or blocked, while also filtering out vulnerabilities. This keeps the district in compliance with the Children’s Internet Protection Act, which requires K–12 schools to use Internet filters to protect students from harmful online content.
As the district’s reliance on web apps expanded, Jaynes upgraded to a Barracuda 810 web filter, which can support 3,000 concurrent user connections and has 200Mbps throughput.
“We had many web applications with populations that needed different types of access, so we decided to split access into two web application filters,” Jaynes explains. “We purchased a second Barracuda 410 for our teaching staff and reconfigured the network to allow staff-only access to the new web filter.”
Although the district doesn’t use formal penetration testing tools, the IT department has stringent rules and procedures that have tightened its security, including internal and web application servers, a network firewall and endpoint protection for the servers.
Jeff Wilson, principal analyst with Infonetics Research, says there are many reasons why school districts should make securing web applications a top priority. Mobile versions of web apps are yet another stream of code that must be maintained, managed and checked for vulnerabilities.
“Custom code, or simply poor coding that leaves vulnerabilities in the code during development, can cause real security problems,” Wilson says.
The percentage of web applications that are vulnerable to an injection attack, where internal databases are accessed through a website
SOURCE: 2011 Top Cyber Security Risks Report (HP)
“If you have the right tools and can get at the code to fix the problems, you’ll be in pretty good shape. But if you don’t have access to the code because the application was outsourced or built on a platform where you are at the mercy of the platform developer, it’s more difficult to find and fix vulnerabilities,” he adds.
Because the Orange County Department of Education (OCDE) in California uses two-factor authentication to protect web apps for its 28 school districts, before an employee can access any information from a district location via a web browser, he must input a password and place a unique encrypted token device into a USB drive.
But it doesn’t end there. The IT department at OCDE also performs regular internal and external penetration tests on its data center, and independent IT auditors review control procedures regularly. OCDE’s IT department also hopes to add a web application firewall as another layer of protection in the future.
“We have implemented an approach that is fiscally prudent, and we are constantly reviewing the procedures and processes in place,” says Carl Fong, the OCDE’s executive director of information technology. “We know that technology changes constantly, and for information security, we try to balance that need with established controls and procedures.”
Tools of the App Security Trade
There are several possible tools that school districts can use to ensure the security of their web apps, including penetration testing and web application firewalls.
Penetration testing tools, such as IBM Rational AppScan and Tenable Network Security’s Nessus ProfessionalFeed, actively try to find vulnerabilities in web apps caused by problems such as cross-site scripting and SQL injection. They work by simulating the methods real attackers might use, but without actually damaging the web application. Typical features of these tools include both static and dynamic testing, content audits (for example, for adult content and personally identifiable information), and the ability to pinpoint specific lines of code causing problems. They are also used for compliance auditing.
Web application firewalls are just that: firewalls that protect web applications. Marketed by providers such as Fortinet, Barracuda Networks, F5 Networks, WatchGuard Technologies and Imperva, these products block threats such as cross-site scripting, SQL injection, buffer overflows and denial of service cookie poisoning. They can also help organizations comply with the Payment Card Industry Data Security Standard. Other features include load balancing and Secure Sockets Layer offloading and acceleration.
Although these tools are invaluable, there is also great value in old-fashioned ingenuity, says Jeff Wilson, principal analyst at Infonetics.
“Whatever investment you make in web application security, there will still be bugs you miss,” he says. “Consider trying the crowdsourcing approach, like Google does. They pay a bounty to anyone who finds bugs in their code.”