Educause Security Discussion mailing list archives

Re: Information Security Plan

From: Valdis Kletnieks <valdis.kletnieks () VT EDU>
Date: Thu, 14 Dec 2017 14:24:44 -0500

On Thu, 14 Dec 2017 12:24:48 -0500, George Larson said:

âWe're thinking PII/PHI would be hard-coded into the source code?  If
that's correct then the tool doesn't need to be concerned with the fact
that it is scanning source code, right?


The chances that anything other than test data is hard coded is pretty low.

What you're looking for is stuff like:

        for each (student_record) do;
                temp=student_record.some_PII_field;
                do_insecure_processing(temp);
        done;

So unless you have coding standards (and actually enforced ones, at that) that
tell you what the PII fields in a record are, you're in for a hard time.  If
you do, it's a simple grep of the source for all references to the PII fields.

Attachment: _bin
Description:

Current thread:

Information Security Plan Keenan Martinez (Dec 11)
- <Possible follow-ups>
- Re: Information Security Plan Valerie Vogel (Dec 12)
  - Re: Information Security Plan Leon DuPree (Dec 14)
    - Re: Information Security Plan Adam Maynard (Dec 14)
    - Re: Information Security Plan Valdis Kletnieks (Dec 14)
    - Re: Information Security Plan Colin Abbott (Dec 14)
    - Re: Information Security Plan George Larson (Dec 14)
    - Re: Information Security Plan Valdis Kletnieks (Dec 14)