Application Risk Management @ UW-Madison

publicyardΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

69 εμφανίσεις

10/29/2012

1

Application Risk Management @
UW
-
Madison

2012 Fall Policy Forum

by Monica Bush, Office of Campus Information Security

Reputational risk is real

Which assets are easy to expose?

What are the issues?


Government Industry
Internally Developed
Applications:


84% of Web Apps Had
Major Issues


82% of Non
-
Web Apps
Had Major Issues

* Data from Vericode 2011 State of Software Security Report

Government Industry

Cross
-
site Scripting
(XSS)

75%

Information Leakage

66%

Cryptographic Issues

35%

Directory Traversal

31%

Insufficient Input
Validation

27%

OS Command
Injection

19%

Where are the issues?

* Data from Vericode SANS AppSec 2012


Top 3 vulnerabilities distribution by language

* Data from Vericode 2011 State of Software Security Report

87%

8%

1%

0%
20%
40%
60%
80%
100%
XSS
SQLi
Directory
Traversal
ColdFusion

75%

16%

10%

0%
20%
40%
60%
80%
XSS
Directory
Traversal
SQLi
PHP

56%

16%

10%

0%
10%
20%
30%
40%
50%
60%
XSS
CRLF
Information
Leakage
Java

47%

18%

10%

0%
10%
20%
30%
40%
50%
XSS
Information
Leakage
Cryptographic
Issues
.NET

Where are the issues?

61%

42%

39%

0%
10%
20%
30%
40%
50%
60%
70%
Cryptographic Issue Entropy
Hard Coded Key
Information Exposure
Android

10/29/2012

2

Demonstration


The departmental steward of the web site
shown in the video kindly allowed OCIS to
perform an active attack for educational
purposes



The department was selected for a demo
because the data output is considered non
-
sensitive



Acquire written notice with permission to test
any system BEFORE you send a single packet


Addressing Application Risk


Indiana University



Applications written to support the IU School of
Medicine are developed using secure coding
practices and follow an accepted application
programming standard.



Addressing Application Risk


University of Missouri




All applications used to acquire, store, report,
manipulate, or transmit University owned
information assets (data) must be registered


The university has the authority to audit systems
as required and to prohibit the use of insecure
applications.

Addressing Application Risk


University of Arizona



Each unit will protect university resources by adopting
and implementing, at a minimum, the security standards
and procedures.


The Web Application Review requires annual scanning of
all web applications.


The Application Standard requires scanning of all new or
significantly modified applications before they are
released to a production environment
.

Addressing Application Risk


NC
Dept

Health Human Services




To keep risk to an acceptable level, units must ensure
security controls are implemented for each application.
These controls will vary in accordance with the sensitivity
and criticality of each application.


Requirements: (1) application security standards and
implementation guidelines; (2) the implementation of
security controls during the system’s lifecycle; and (3)
security documentation.

How about UW
-
Madison?


Discussion question:


Using
the example solutions as

one source of
ideas, how might we implement web
application security risk management here at
UW
-
Madison?