Educause Security Discussion mailing list archives
Re: Information Security Plan
From: Valdis Kletnieks <valdis.kletnieks () VT EDU>
Date: Thu, 14 Dec 2017 11:19:27 -0500
On Thu, 14 Dec 2017 15:05:37 +0000, Adam Maynard said:
A lot of Higher Ed uses Spirion (formerly Identity Finder).
I think he wanted a source code scanner, to identify where code was handling PII so it could be audited more closely. Unfortunately, that's going to be tough - alerting on every occurrence of string(9) or string(11) (SSN with/ without -) will probably false positive too much, while missing places where it's handled as just string(). And you can't make a white/black list until you already know the answer.... So you *could* search for places where it validates that it's 3 digits 2 digits 4 digits, except that misses places where somebody forgot to do validation.. :) For what it's worth, the Linux kernel developers use a tool called Coccinelle to do semantic searches through C code (though it may be able to handle other languages too).
Attachment:
_bin
Description:
Current thread:
- Information Security Plan Keenan Martinez (Dec 11)
- <Possible follow-ups>
- Re: Information Security Plan Valerie Vogel (Dec 12)
- Re: Information Security Plan Leon DuPree (Dec 14)
- Re: Information Security Plan Adam Maynard (Dec 14)
- Re: Information Security Plan Valdis Kletnieks (Dec 14)
- Re: Information Security Plan Colin Abbott (Dec 14)
- Re: Information Security Plan George Larson (Dec 14)
- Re: Information Security Plan Valdis Kletnieks (Dec 14)
- Re: Information Security Plan Leon DuPree (Dec 14)