Educause Security Discussion mailing list archives
Re: Web Security - what do you do?
From: Karen Stopford <stopfordk () CT EDU>
Date: Thu, 7 May 2009 13:00:09 -0400
I don’t think installing a Web Application Firewall is an adequate compensating control for vulnerable code. Appropriate bounds setting, input validation, use of stored procedures, etc. should be a requirement for any in-house or COTS application. I understand using the firewall until the existing portfolio can be addressed and developers are trained; however, I would be concerned about a false sense of security. Building security in to the application’s functionality has a much better chance of withstanding new attack vectors than a firewall that is looking at the client, rather than the application, behavior. Just my two cents worth. Karen Faith is taking the first step even when you don't see the whole staircase. –Martin Luther King, Jr. C. Karen Stopford, CISSP Associate Executive Officer for I.T. Security CT State University System 39 Woodland Street Hartford, CT 06105 (860) 493-0116 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh Burley Sent: Thursday, May 07, 2009 11:59 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Web Security - what do you do? At TRU we had an external Web Penetration test completed in 2006. This allowed us to show that there were many vulnerabilities across our various web portals and services which would allow privilege escalation through XSS and SQL Injection attacks, among others. This drove the implementation of a Web Application Firewall, which meets the PCI DSS requirement for a compensating control for secure web coding. A key issue with this implementation is ensuring that your institution has adequate staffing to support implementation and management of this new device. A rough estimate; two weeks for implementation/training, and an hour per day for management. Regards, Hugh Burley Thompson Rivers University ITS - Senior Technology Coordinator [cid:image001.png@01C9CF13.36FDF0F0] Information Security BCCOL - 222D 250-852-6351
Greg Vickers <g.vickers () QUT EDU AU> 06/05/2009 6:25 pm >>>
Hi all, The QUT IT Security Program is undertaking the Web Security project, which will review the security of the QUT web presence. This project encompasses our current tools, procedures and practices (including development and training approaches). We will investigate tools that could be leveraged to improve the security of the web presence at QUT, such as: * Web server scanning tools, * Tools to better manage web infrastructure, e.g., cPanel and other web host managers. * Web application development training and certification, * Other technologies to find web servers with vulnerabilities. This project is not looking directly at the security of the web servers themselves, (i.e. operating system level) but at the security of the web server applications and the actual web site code. We would like to know what tools, training, standards and developmental activities, etc, that your University or higher education institution use in this space. If further clarification is required, please contact the project manager at QUT, Greg Vickers (+61 7 3138 6902), email: g.vickers () qut edu au Thanks, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J
Current thread:
- Web Security - what do you do? Greg Vickers (May 06)
- <Possible follow-ups>
- Re: Web Security - what do you do? Pratt, Benjamin E. (May 07)
- Re: Web Security - what do you do? Hugh Burley (May 07)
- Re: Web Security - what do you do? Karen Stopford (May 07)
- Re: Web Security - what do you do? Pace, Guy (May 07)
- Re: Web Security - what do you do? Jason Testart (May 07)
- Re: Web Security - what do you do? Christopher Jones (May 07)
- Re: Web Security - what do you do? Rowe, Ken (May 07)
- Re: Web Security - what do you do? St Clair, Jim (May 07)
- Re: Web Security - what do you do? Gary Flynn (May 07)
- Re: Web Security - what do you do? Paul Keser (May 07)
- Re: Web Security - what do you do? Karen Stopford (May 11)
- Re: Web Security - what do you do? Russell Fulton (May 11)