2015PABug

advertisement
Application Security
Discussion
Monday, November 23rd, 2015 2:40-3:30p.m.
Maureen Castaldi, Assistant Director Database
Systems
Cindy Hricko, Assistant Director of IT Development and
Applications
2015
16th Annual PABUG Conference
General Announcements:
• Please turn off all cell phones/pagers
• If you must leave the session early,
please do so as discreetly as possible
• Please avoid side conversations
during the session
• Questions will be answered …..
Thank you for your cooperation
2015
16th Annual PABUG Conference
CPE Credits - We’ve gone electronic!
To receive CPE credits for this session (if
eligible), complete the CPE Attendance Form
on the PABUG Annual Conference website
http://pabug.org/pennsylvania-banner-usersgroup-annual-conference/cpe-credits/
or via the PABUG conference app.
For additional questions please contact
Kim Fremont CPE - Coordinator
http://pabug.org/contact-us/
2015
16th Annual PABUG Conference
Development staff working within
the constraints of Security
•
Security, Security, Security
– Industry Best Practices – what we know
– Internal Auditor findings – what we don’t know
– Retrofit security into our operations – how can we incorporate the change that is
needed without STOPPING progress?
•
•
Module owners and integration account passwords changed on a regular
schedule
Formalized procedures for code and data changes
New developers not given access to servers – takeaway from last years
session – THANK YOU!
ESM Implementation for a more controlled upgrade environment
•
•
Developers/BAA’s are still using shared privilege accounts
Legacy code that may not be up to “security” standards
•
•
2015
16th Annual PABUG Conference
Other Hot Topics
– Application Security
•
•
•
•
SDLC with concentrated effort to include Security.
Application Inventory/Data Classification
Software Version Control/Movement through environments
Third Party product selection/vetting
– Reducing restricted data in the database
• Archive/purge processes
• Oracle12c Data Redaction (dev/QA)
– DB Audit and Firewall
– Making the move to Banner XE environment
– Training/Cross-training
2015
16th Annual PABUG Conference
Application Security
Software Development Life Cycle Procedure
How many have an informal SDLC? Formalized?
– Informal process since 1991
– Auditor Finding: need for a more formalized
process for new applications or acquisition of
software systems
– Policy vs. Procedures
2015
16th Annual PABUG Conference
Application Security
Software Development Life Cycle Framework
- Different Phases are being incorporated
based on our Current Change Management
Software (i.e.. Initiation Phase – Open Status,
Requirement Phases – Authorized, etc.)
- Supplemental security standards will be in
place
- Supplemental SDLC procedures and
documentation for Developers.
– Augmenting with checklist for SDLC
procedures and Security Standards.
2015
16th Annual PABUG Conference
Application Security
Software Development Life Cycle Framework
Overall SDLC Procedures
• Initiation/Feasibility Phase
– How does your institution determine cost analysis and
business justification? Willing to share scorecard for
determing?
– What Governance structures are in place by others
schools to determine a modification or new system?
2015
16th Annual PABUG Conference
Application Security
Software Development Life Cycle Framework
• Requirement Analysis Phase
– Requiring a formalized user requirement
document.
– Information Security Office consults when
dealing with Restricted Data.
– What is being done at your institution with
regards to Security?
– How does your institution determine if a third
party vendor is to be used or do you write
custom applications?
2015
16th Annual PABUG Conference
Application Security
Software Development Life Cycle Framework
• Design Phase
– Creation of Design Document will be required
– May determine a third party product to be used.
– Use Security Office and Legal to purchase
software.
– Standard checklist for third party checklist.
How many have a formalized process for purchasing
software? Is IT always involved?
2015
16th Annual PABUG Conference
Application Security
Software Development Life Cycle Framework
• Development Phase
– Supplemental Security Standards
– Requiring the need to pull in Information
Security Office if it deals with Restricted Data.
– Sensitive Data software (i.e. Advancement
Form) was run through a security vendor (i.e.
Control Scan)
2015
16th Annual PABUG Conference
Application Security Standards
Software Development Life Cycle Framework
• Systems Testing and Acceptance Phase
•
•
•
•
OWASP Training
Authentication Routines
Error Handling
Security Tools – Reports attached to Change Management
Ticket. What tools are being used at other institutions?
– Accunetix- OWASP top 10.
– VCG(VisualCodeGrepper) for Source Code Scanning
• Testing (Peer, Integration, Customer)
Anyone using performance testing software?
• User Sign-off Testing
2015
16th Annual PABUG Conference
Application Security Standards
Software Development Life Cycle Framework
• Implementation Phase
– Functional/Operational Documentation
– User Training
– Source Code Moves
• Operations and Maintenance Phase
– Retest through Security tools including if there are
any major configuration or architecture changes.
2015
16th Annual PABUG Conference
Application Security Standards
Software Development Life Cycle Framework
• Benefits to formalizing
– Security is fore-front
– No steps will get missed.
– Designing of Templates for different types of
applications (PHP, PL/SQL, etc.).
– More Rapid Development
– Start of our Application Security Inventory
– Forces tracking of Applications and deprecation
2015
16th Annual PABUG Conference
Application Security
Application Inventory and Data Classification
Does your institution have a formalized way to track and classify
applications?
– Information Classification & Protection Policy
• Data classified in 3 categories
– Restricted - PII – SSN, account information, routing numbers (HIPAA)
– Confidential – Private for internal University business (FERPA)
– Public
– Phase I
• Identify and review software that reports Restricted Data
– Run through the SDLC Security Guide/Checklist
• Create an application inventory 4000+ in-house developed programs
(pro*c, sql,shl, plsql,forms,argos)
– Phase II
• Identify and review software that reports Confidential Data
2015
16th Annual PABUG Conference
Application Security
Software Version Control and movement through
environments (dev,qa,prd)
How many using GIT? Subversion?
– Scranton’s “semi-automated” software move process NOW
• Code modified in Development environment
• Command to Move (Add/Update), Delete, PL/SQL compilation,
or some other linux command added to a project file that
corresponds to process date
• MWF – project file is processed for QA and Production, T,Th –
project file processed for QA only
– mv.qa /home/banner/scranton/some_plsql.sql
– sp.qa baninst1 @/home/banner/scranton/some_plsql
• Human intervention to process the file, check for errors,
validate objects
2015
16th Annual PABUG Conference
Application Security
Software Version Control
– FUTURE – debate whether in-house version control
should be GIT or Subversion
• Currently using GITHUB for our mobile code
• Ellucian is using GITHUB for XE.
• Realized that GIT was beneficial for big projects with many
hands working on it. The use of branching and merging
seems to be the most advantageous feature which our
developers would not be using.
• Subversion appears to work in line with how we work. We
have a $SCRANTON_HOME branch with appr 30-40 folders,
so we would need a repo for each. We will be using Turtoise
SVN.
2015
16th Annual PABUG Conference
Other Hot Topics
– Reducing restricted data in the database
• Archive/purge processes
– Number of Ellucian processes out there, but we aren’t using many of
them.
What processes are your institution currently using in production?
• Oracle12c Data Redaction (dev/QA)
– DB Audit and Firewall
– Making the move to Banner XE environment
– Training/Cross-training
2015
16th Annual PABUG Conference
Open to the Floor
• Questions???
Maureen Castaldi
maureen.castaldi@scranton.edu
Cindy Hricko
cindy.hricko@scranton.edu
2015
16th Annual PABUG Conference
Please take time to complete our
Conference and Session
evaluations.
YOUR INPUT MATTERS!!!
2015
16th Annual PABUG Conference
Download