Educause Security Discussion mailing list archives

Re: Web Security - what do you do?

From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Thu, 7 May 2009 13:46:10 -0500

I agree with Ken, and would also add other OWASP frameworks for web app assessment and securing applications need to be 
considered.



The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest 
quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of 
Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton 
International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct 
legal entity.
In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.
-----Original Message-----

From: Rowe, Ken <kenrowe () UILLINOIS EDU>
Sent: Thursday, May 07, 2009 2:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: Web Security - what do you do?


I agree that an application firewall is a necessary component for most Internet-facing web servers, especially if you 
don't have a strong vulnerability assessment and change control program in place. But I caveat that I mean a strong app 
firewall (e.g., DotDefender) that handles white listing urls, etc., not just a Cisco ASA box.
This needs to go hand-in-hand with an OWASP-based approach to securing websites.

Ken.
==
Ken Rowe
Director of Enterprise Systems Assurance and Information Security
University Office of Administrative Information Technology Services
University of Illinois
50 Gerty Drive, MC-673
Champaign, IL 61820
E kenrowe () uillinois edu
O 217.265.0415
C 217.778.7693
F 217.333.6991




In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code.
--------------------------------------------------------------------------
This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities 
other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.

Current thread:

Web Security - what do you do? Greg Vickers (May 06)
- <Possible follow-ups>
- Re: Web Security - what do you do? Pratt, Benjamin E. (May 07)
- Re: Web Security - what do you do? Hugh Burley (May 07)
- Re: Web Security - what do you do? Karen Stopford (May 07)
- Re: Web Security - what do you do? Pace, Guy (May 07)
- Re: Web Security - what do you do? Jason Testart (May 07)
- Re: Web Security - what do you do? Christopher Jones (May 07)
- Re: Web Security - what do you do? Rowe, Ken (May 07)
- Re: Web Security - what do you do? St Clair, Jim (May 07)
- Re: Web Security - what do you do? Gary Flynn (May 07)
- Re: Web Security - what do you do? Paul Keser (May 07)
- Re: Web Security - what do you do? Karen Stopford (May 11)
- Re: Web Security - what do you do? Russell Fulton (May 11)