Re: Web Security - what do you do?

[Karen Stopford <stopfordk () CT EDU>]

I don’t think installing a Web Application Firewall is an adequate compensating control for vulnerable code.  
Appropriate bounds setting, input validation, use of stored procedures, etc. should be a requirement for any in-house 
or COTS application.  I understand using the firewall until the existing portfolio can be addressed and developers are 
trained; however, I would be concerned about a false sense of security.  Building security in to the application’s 
functionality has a much better chance of withstanding new attack vectors than a firewall that is looking at the 
client, rather than the application, behavior.  Just my two cents worth.
Karen
Faith is taking the first step even when you don't see the whole staircase. –Martin Luther King, Jr.
C. Karen Stopford, CISSP
Associate Executive Officer for I.T. Security
CT State University System
39 Woodland Street
Hartford, CT  06105
(860) 493-0116

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh 
Burley
Sent: Thursday, May 07, 2009 11:59 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Web Security - what do you do?

At TRU we had an external Web Penetration test completed in 2006.  This allowed us to show that there were many 
vulnerabilities across our various web portals and services which would allow privilege escalation through XSS and SQL 
Injection attacks, among others. This drove the implementation of a Web Application Firewall, which meets the PCI DSS 
requirement for a compensating control for secure web coding.

A key issue with this implementation is ensuring that your institution has adequate staffing to support implementation 
and management of this new device. A rough estimate; two weeks for implementation/training, and an hour per day for 
management.

Regards,


Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
[cid:image001.png@01C9CF13.36FDF0F0]
Information Security
BCCOL - 222D
250-852-6351

> > > Greg Vickers <g.vickers () QUT EDU AU> 06/05/2009 6:25 pm >>>
Hi all,

The QUT IT Security Program is undertaking the Web Security project,
which will review the security of the QUT web presence.  This project
encompasses our current tools, procedures and practices (including
development and training approaches).  We will investigate tools that
could be leveraged to improve the security of the web presence at QUT,
such as:

* Web server scanning tools,
* Tools to better manage web infrastructure, e.g., cPanel and other web
host managers.
* Web application development training and certification,
* Other technologies to find web servers with vulnerabilities.

This project is not looking directly at the security of the web servers
themselves, (i.e. operating system level) but at the security of the web
server applications and the actual web site code.  We would like to know
what tools, training, standards and developmental activities, etc, that
your University or higher education institution use in this space.

If further clarification is required, please contact the project manager
at QUT, Greg Vickers (+61 7 3138 6902), email: g.vickers () qut edu au

Thanks,
--
Greg Vickers
Phone: +61 7 3138 6902
IT Security Engineer & Project Manager
Queensland University of Technology, CRICOS No. 00213J