Educause Security Discussion mailing list archives

Re: Information Security Plan

From: Valdis Kletnieks <valdis.kletnieks () VT EDU>
Date: Thu, 14 Dec 2017 11:19:27 -0500

On Thu, 14 Dec 2017 15:05:37 +0000, Adam Maynard said:

A lot of Higher Ed uses Spirion (formerly Identity Finder).


I think he wanted a source code scanner, to identify where code was handling
PII so it could be audited more closely.  Unfortunately, that's going to be
tough - alerting on every occurrence of string(9) or string(11) (SSN  with/
without -) will probably false positive too much, while missing places where it's
handled as just string().  And you can't make a white/black
list until you already know the answer....

So you *could* search for places where it validates that it's 3 digits 2 digits 4 digits,
except that misses places where somebody forgot to do validation.. :)

For what it's worth, the Linux kernel developers use a tool called Coccinelle to do
semantic searches through C code (though it may be able to handle other languages too).

Attachment: _bin
Description:

Current thread:

Information Security Plan Keenan Martinez (Dec 11)
- <Possible follow-ups>
- Re: Information Security Plan Valerie Vogel (Dec 12)
  - Re: Information Security Plan Leon DuPree (Dec 14)
    - Re: Information Security Plan Adam Maynard (Dec 14)
    - Re: Information Security Plan Valdis Kletnieks (Dec 14)
    - Re: Information Security Plan Colin Abbott (Dec 14)
    - Re: Information Security Plan George Larson (Dec 14)
    - Re: Information Security Plan Valdis Kletnieks (Dec 14)