Application Security Discussion Monday, November 23rd, 2015 2:40-3:30p.m. Maureen Castaldi, Assistant Director Database Systems Cindy Hricko, Assistant Director of IT Development and Applications 2015 16th Annual PABUG Conference General Announcements: • Please turn off all cell phones/pagers • If you must leave the session early, please do so as discreetly as possible • Please avoid side conversations during the session • Questions will be answered ….. Thank you for your cooperation 2015 16th Annual PABUG Conference CPE Credits - We’ve gone electronic! To receive CPE credits for this session (if eligible), complete the CPE Attendance Form on the PABUG Annual Conference website http://pabug.org/pennsylvania-banner-usersgroup-annual-conference/cpe-credits/ or via the PABUG conference app. For additional questions please contact Kim Fremont CPE - Coordinator http://pabug.org/contact-us/ 2015 16th Annual PABUG Conference Development staff working within the constraints of Security • Security, Security, Security – Industry Best Practices – what we know – Internal Auditor findings – what we don’t know – Retrofit security into our operations – how can we incorporate the change that is needed without STOPPING progress? • • Module owners and integration account passwords changed on a regular schedule Formalized procedures for code and data changes New developers not given access to servers – takeaway from last years session – THANK YOU! ESM Implementation for a more controlled upgrade environment • • Developers/BAA’s are still using shared privilege accounts Legacy code that may not be up to “security” standards • • 2015 16th Annual PABUG Conference Other Hot Topics – Application Security • • • • SDLC with concentrated effort to include Security. Application Inventory/Data Classification Software Version Control/Movement through environments Third Party product selection/vetting – Reducing restricted data in the database • Archive/purge processes • Oracle12c Data Redaction (dev/QA) – DB Audit and Firewall – Making the move to Banner XE environment – Training/Cross-training 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Procedure How many have an informal SDLC? Formalized? – Informal process since 1991 – Auditor Finding: need for a more formalized process for new applications or acquisition of software systems – Policy vs. Procedures 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework - Different Phases are being incorporated based on our Current Change Management Software (i.e.. Initiation Phase – Open Status, Requirement Phases – Authorized, etc.) - Supplemental security standards will be in place - Supplemental SDLC procedures and documentation for Developers. – Augmenting with checklist for SDLC procedures and Security Standards. 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework Overall SDLC Procedures • Initiation/Feasibility Phase – How does your institution determine cost analysis and business justification? Willing to share scorecard for determing? – What Governance structures are in place by others schools to determine a modification or new system? 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework • Requirement Analysis Phase – Requiring a formalized user requirement document. – Information Security Office consults when dealing with Restricted Data. – What is being done at your institution with regards to Security? – How does your institution determine if a third party vendor is to be used or do you write custom applications? 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework • Design Phase – Creation of Design Document will be required – May determine a third party product to be used. – Use Security Office and Legal to purchase software. – Standard checklist for third party checklist. How many have a formalized process for purchasing software? Is IT always involved? 2015 16th Annual PABUG Conference Application Security Software Development Life Cycle Framework • Development Phase – Supplemental Security Standards – Requiring the need to pull in Information Security Office if it deals with Restricted Data. – Sensitive Data software (i.e. Advancement Form) was run through a security vendor (i.e. Control Scan) 2015 16th Annual PABUG Conference Application Security Standards Software Development Life Cycle Framework • Systems Testing and Acceptance Phase • • • • OWASP Training Authentication Routines Error Handling Security Tools – Reports attached to Change Management Ticket. What tools are being used at other institutions? – Accunetix- OWASP top 10. – VCG(VisualCodeGrepper) for Source Code Scanning • Testing (Peer, Integration, Customer) Anyone using performance testing software? • User Sign-off Testing 2015 16th Annual PABUG Conference Application Security Standards Software Development Life Cycle Framework • Implementation Phase – Functional/Operational Documentation – User Training – Source Code Moves • Operations and Maintenance Phase – Retest through Security tools including if there are any major configuration or architecture changes. 2015 16th Annual PABUG Conference Application Security Standards Software Development Life Cycle Framework • Benefits to formalizing – Security is fore-front – No steps will get missed. – Designing of Templates for different types of applications (PHP, PL/SQL, etc.). – More Rapid Development – Start of our Application Security Inventory – Forces tracking of Applications and deprecation 2015 16th Annual PABUG Conference Application Security Application Inventory and Data Classification Does your institution have a formalized way to track and classify applications? – Information Classification & Protection Policy • Data classified in 3 categories – Restricted - PII – SSN, account information, routing numbers (HIPAA) – Confidential – Private for internal University business (FERPA) – Public – Phase I • Identify and review software that reports Restricted Data – Run through the SDLC Security Guide/Checklist • Create an application inventory 4000+ in-house developed programs (pro*c, sql,shl, plsql,forms,argos) – Phase II • Identify and review software that reports Confidential Data 2015 16th Annual PABUG Conference Application Security Software Version Control and movement through environments (dev,qa,prd) How many using GIT? Subversion? – Scranton’s “semi-automated” software move process NOW • Code modified in Development environment • Command to Move (Add/Update), Delete, PL/SQL compilation, or some other linux command added to a project file that corresponds to process date • MWF – project file is processed for QA and Production, T,Th – project file processed for QA only – mv.qa /home/banner/scranton/some_plsql.sql – sp.qa baninst1 @/home/banner/scranton/some_plsql • Human intervention to process the file, check for errors, validate objects 2015 16th Annual PABUG Conference Application Security Software Version Control – FUTURE – debate whether in-house version control should be GIT or Subversion • Currently using GITHUB for our mobile code • Ellucian is using GITHUB for XE. • Realized that GIT was beneficial for big projects with many hands working on it. The use of branching and merging seems to be the most advantageous feature which our developers would not be using. • Subversion appears to work in line with how we work. We have a $SCRANTON_HOME branch with appr 30-40 folders, so we would need a repo for each. We will be using Turtoise SVN. 2015 16th Annual PABUG Conference Other Hot Topics – Reducing restricted data in the database • Archive/purge processes – Number of Ellucian processes out there, but we aren’t using many of them. What processes are your institution currently using in production? • Oracle12c Data Redaction (dev/QA) – DB Audit and Firewall – Making the move to Banner XE environment – Training/Cross-training 2015 16th Annual PABUG Conference Open to the Floor • Questions??? Maureen Castaldi maureen.castaldi@scranton.edu Cindy Hricko cindy.hricko@scranton.edu 2015 16th Annual PABUG Conference Please take time to complete our Conference and Session evaluations. YOUR INPUT MATTERS!!! 2015 16th Annual PABUG Conference