University of California, Irvine TechnoExpo, September 20041 Security Awareness for Web Developers...

TechnoExpo, September 2004 1

University of California, Irvine

Security Awareness for Web Developers

Katya [email protected]

Administrative Computing Services


University of California, Irvine (Administrative Computing Services)

AgendaAgendaOverview of privacy regulationsSecurity architecture designAuthentication with WebAuthFile and directory security risksModeling and storing sensitive dataSensitive data in cookies and URLsCommunication between distributed componentsPeer Code Reviews



End User SecurityEnd User SecuritySince developers also happen to be end users of

computing, topics covered in the “End User Security Awareness” session apply to attendees of this session as well.

Session materials are available at: http://apps.adcom.uci.edu/EnterpriseArch/PresentationsConferences/TechnoExpo2004EndUserSecurity.ppt



Privacy regulationsPrivacy regulationsState Bill 1386 (State Law) Family Educational Rights and Privacy Act (FERPA)Health Insurance Portability and Accountability Act (HIP

AA)Digital Millennium Copyright ActFederal Trade Commission - Gramm

-Leach-Bliley Act on Customer PrivacyUSA Patriot Act of 2002



State Bill 1386 (State Law)State Bill 1386 (State Law)“Personal information" means an individual's first name

or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

Social security numberDriver's license number or California Identification Card

number. Account number, credit or debit card number, in combination

with any required security code, access code, or password that would permit access to an individual's financial account.



FERPAFERPAFamily Educational Rights and Privacy ActFederal law that protects the privacy of student

education records.Allows students to block access to their

information or even existence. Contact the Registrar for info and procedures.



HIPAAHIPAAHealth Insurance Portability and Accountability Act “Individually identifiable health information” is private and

must be protected in any form or media, whether electronic, paper, or oral.

Protect demographic data (i.e. name, address, birth date, Social Security Number) related to:

the individual’s past, present or future physical or mental health or condition

the provision of health care to the individualthe past, present, or future payment for the provision of health

care to the individual



Campus Policies you must know

Campus Policies you must know

You can find all policies at http://www.policies.uci.edu714-11Guidelines for NACS Computer Usage714-12 Office of Academic Computing Policy on Ownership and

Rights of Access to Software and Data714-14Copying Computer Programs714-15 Policy on Access to University Administrative Information

Systems714-16Procedures for Accessing University Administrative

Information Systems714-17Using University Administrative Information Systems714-18 Computer and Network Use Policy



Using sensitive data in applications

Using sensitive data in applications

Getting necessary approvals:The Payroll/Personnel office or Human Resources

must grant approval for access to private employee information

The Registrar has a formal process for approving student data release



Security Architecture Design


The Security Architecture must facilitate:proper and efficient identificationauthenticationauthorizationadministration and auditabilityIdentity management:

uniquenessaccount management





The Security Architecture also should:be flexible to support the introduction and/or

integration of new technologies address and support multiple levels of protection,

including database, network level, operating system, and application level security needs

provide a modular approach to authentication, authorization, and accounting





Other design considerations:Consider security during initial system designMinimize the number of security devices Delegate access control where appropriate Centralize security policy, maintenance operation

and oversight functions Utilize Open Standards Assign Security levels consistently and at the lowest

level of access required by the individual



Authentication with WebAuth


WebAuth is the campus single-signon authentication mechanism

General information is available at http://www.nacs.uci.edu/help/webauth

There is some additional info for Java programmers at http://snap.uci.edu/PortalDocs/webAuth/ssoWithWebAuth.html

Single-Signon = Single-Signoff!Once a user logs off one WebAuth-enabled application, s/he

should be logged off all others





Understand different timeouts:Cookie ageLocal session timeout

Logout:Do not use “backend” logouts, since they do not dispose of a

cookie correctly; use HTTP redirects instead.Test your applications to make sure they reflect the logout as

soon as it’s sent to WebAuth from this or any other application (even if there is a local session)!



File and directory security risks

File and directory security risks

Use operating system encryption capabilities to protect files with private data

Make sure that Read/Write/Execute access on Files and Directories is correct Sensitive files (i.e. passwords, SSN) are not world readable

and are not located in Web accessible directories or sub-directories

Sensitive data such as passwords, SSN, account number is encrypted in files and/or databases

Log files are not world readable (keep in mind that URL query strings from GET requests are logged to a file)



Data modelingData modelingWhen designing database tables for an

application, note that:Application must be able to deal with cross-

referencesCampus_ID offers the greatest degree of flexibility

when choosing a table key, as opposed to student ID or employee ID

Social Security Number should never be used as a person key and should be avoided



Storing sensitive dataStoring sensitive dataAVOID storing sensitive data if at all possible!If you have to store sensitive data:

Encrypt table records and/or files that contain: password, SSN, home phone/address, credit card, bank

account, California Driver's License, non-public student or employee data, or FERPA blocked student data

Use encrypted transmission for data retrieval and modification

Educate end users about the sensitivity of the data



Storing sensitive data, cont’d

Storing sensitive data, cont’d

Catalogue and inventory your use of personal dataMake sure data is backed up:

In the case data is compromised, use backups to notify affected individuals.



Sensitive data in cookies and URLs

Sensitive data in cookies and URLs

Do NOT store sensitive data of any kind in cookies or URLs (GET requests are logged in web log files).

Using WebAuth for authentication eliminates the need to invent an authentication mechanism (and store passwords in cookies ).

Use non-persistent cookies (that disappear once a browser is closed) instead of persistent ones.



Communication between distributed components

Communication between distributed components

Document how the data is used by each componentTransmissions/exchanges of private information must be

encrypted using protocols like:HTTPSSFTPSSHSTunnelVPN: http://www.nacs.uci.edu/security/vpn.html

Always use a POST method when your forms submit any private information



Page CachingPage CachingBe aware that pop-up windows with sensitive information

may remain open even after logoutPages with sensitive data should not be cached: page

content is easily accessed using browser’s historyUse the following tags to disable page caching:

<META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Cache-Control" CONTENT=“no-store, no-cache"><META HTTP-EQUIV="Expires" CONTENT="-1">



SQL Injection AttacksSQL Injection AttacksSQL Injection examples are outlined in:

http://searchdatabase.techtarget.com/searchDatabase/downloads/sqlServerSecurity.pdf

To prevent these hacks:Validate parameter types and values before inserting

them into an SQL statement (never use raw parameter data for SQL)

Test for these vulnerabilities as part of a functional test



Code ReviewsCode ReviewsEmploy peer code reviews to catch oversightsMore formal code reviews may be necessary for

highly sensitive applications



SummarySummaryUnderstand what constitutes private dataUnderstand security and privacy regulationsAvoid storing sensitive data if possibleEncrypt private data in storage and

communicationReview data storage and code periodicallyMake sure there is a backup person for the

security administrator



Useful linksUseful linksUCOP IT security site:

http://www.ucop.edu/irc/itsec/ NACS security site:

http://www.nacs.uci.edu/security/index.htmlAdCom application security checklist:

http://snap.uci.edu/viewXmlFile.jsp?xml=webpages/xml/sdlc/checkListSecurityReview.xml



Questions?Questions?

Date post:	21-Dec-2015
Category:	Documents
View:	216 times
Download:	0 times

University of California, Irvine TechnoExpo, September 20041 Security Awareness for Web Developers...

Documents