Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Sakai: Ensuring a Secure Sakai Instance Sean DeMonner Alan Berg Anthony White Ian Boston Matthew Jones 2010 Sakai Conference Denver, Colorado.

Published byAusten Carpenter Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Sakai: Ensuring a Secure Sakai Instance Sean DeMonner Alan Berg Anthony White Ian Boston Matthew Jones 2010 Sakai Conference Denver, Colorado."— Presentation transcript:

1 Securing Sakai: Ensuring a Secure Sakai Instance Sean DeMonner Alan Berg Anthony White Ian Boston Matthew Jones 2010 Sakai Conference Denver, Colorado Tuesday, Jun 15 (15:25 - 16:30)

2 11th Sakai Conference - June 15-17, 2010 Overview Sakai security policy Who is on the Security Working Group? [identifying by name/institution, or in person] What to do if you suspect a security issue Security related activities o Reactive development o Proactive investigation (U-M, Sakai Foundation) Top 10 list for Production instances Recap and Q&A 11th Sakai Conference - June 15-17, 2010

3 Sakai Security Policy http://confluence.sakaiproject.org/display/DOC/Security+Policy Issues restricted to Sakai security contacts and members of the Sakai Security Work Group Security advisories and security updates issued to the general public once existing Sakai installations have been notified and given time to patch their systems. Three levels of issue severity: Critical, Major, Minor 11th Sakai Conference - June 15-17, 2010

4 Security Working Group Alan Berg, UvA Noah Botimer, UMich Matthew Buckett, Oxford Jon Gorrono, UC Davis Matt Jones, UMich Charles Hedrick, Rutgers David Horwitz, UCT Dawn Isabel, UMich Jean-Francois Leveque, UPMC Stephen Marquard, UCT Charles Severance, UMich Steve Swinsburg, ANU Seth Theriault, Columbia Anthony Whyte, Sakai Foundation / UMich 11th Sakai Conference - June 15-17, 2010

5 Handling Security Issues NOTICE: If you uncover a security vulnerability in Sakai software please do not voice your concerns on any public listserv, blog or other open communication channel but instead notify the Sakai Foundation immediately at security@sakaifoundation.org. security@sakaifoundation.org. Please provide a callback telephone number so that we can contact you by telephone if it is deemed necessary. 11th Sakai Conference - June 15-17, 2010

6 Security Activities: Reactive Over 150 issues in last 6 months(?) o Not always resolved as quickly as we'd like o Security coordinator, anyone? Many fixes in 2.7, some of which were U-M reported items that were responded to very quickly Other info on issue counts, turnaround times, etc. from Jiras? 11th Sakai Conference - June 15-17, 2010

7 Security Activities: Proactive U-M Testing o Penetration testing summary; annual plan? Sakai Foundation Testing o Security Sweep 2.7  Review Jira  Simple penetration testing  Static code analysis Sakai 3 and security 11th Sakai Conference - June 15-17, 2010

8 Sakai 3 and Security Changed security model was: All UI content from the server made secure, no chink now: Data is insecure UI must construct a secure UI (needs diagram here, I can talk to this slide: Ian 11th Sakai Conference - June 15-17, 2010

9 "Top 10 List" Have a rep on the security team; adopt need-to-know basis Admin Account management Admin Account passwords Separate daily driver and admin accounts Server & Database user passwords Code reviews with security emphasis Best practices System patches Independent audit of system and processes Secure the web services: o http://steve-on-sakai.blogspot.com/2009/05/enabling-web- services-in-sakai-and.html 11th Sakai Conference - June 15-17, 2010

10 Easy Reading OWASP Top 10 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Lulu Website for OWASP books http://stores.lulu.com/owasp Google Caja Project http://code.google.com/p/google-caja/ 11th Sakai Conference - June 15-17, 2010

11 Thank you for your interest! Recap & QA 11th Sakai Conference - June 15-17, 2010

12 [Slide Title] 11th Sakai Conference - June 15-17, 2010

Download ppt "Securing Sakai: Ensuring a Secure Sakai Instance Sean DeMonner Alan Berg Anthony White Ian Boston Matthew Jones 2010 Sakai Conference Denver, Colorado."

Similar presentations

8th Sakai Conference4-7 December 2007 Newport Beach What does Quality Assurance Mean to Sakai? Alan Berg Megan May Seth Theriault.

8th Sakai Conference4-7 December 2007 Newport Beach What does Quality Assurance Mean to Sakai? Alan Berg Megan May Seth Theriault.
June 10-15, 2012 Growing Community; Growing Possibilities Joe Humbert, Indiana University Brian Richwine, Indiana University.

June 10-15, 2012 Growing Community; Growing Possibilities Joe Humbert, Indiana University Brian Richwine, Indiana University.
Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.

Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.
Summit 2011 Outcomes PRESENTED BY __________. About the Summit Over 180 application security experts from over 120 companies, 30 different countries,

Summit 2011 Outcomes PRESENTED BY __________. About the Summit Over 180 application security experts from over 120 companies, 30 different countries,
WEST Presented By 3s. Introduction Project Overview Project Overview Use Case Diagram Use Case Diagram Domain Model Diagram Domain Model Diagram UI for.

WEST Presented By 3s. Introduction Project Overview Project Overview Use Case Diagram Use Case Diagram Domain Model Diagram Domain Model Diagram UI for.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Cyber Security – Our Approach James Clement Network Specialist ETS: Communications & Network Services

Cyber Security – Our Approach James Clement Network Specialist ETS: Communications & Network Services
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
Understanding your child’s IEP.  The Individualized Education Plan (IEP) is intended to help students with disabilities interact with the same content.

Understanding your child’s IEP.  The Individualized Education Plan (IEP) is intended to help students with disabilities interact with the same content.
Open Source Content Management System - JOOMLA Swapnil S. Chafale Nagpur (M.S.) India Paper-Presentation For ATCON-2009 Conference.

Open Source Content Management System - JOOMLA Swapnil S. Chafale Nagpur (M.S.) India Paper-Presentation For ATCON-2009 Conference.
What does QA mean to Sakai? Megan May – Sakai Foundation Aaron Zeckoski – CARET Alan Berg – UVA David Horwitz – Cape Town Seth Theriault- Columbia Linda.

What does QA mean to Sakai? Megan May – Sakai Foundation Aaron Zeckoski – CARET Alan Berg – UVA David Horwitz – Cape Town Seth Theriault- Columbia Linda.
Mental Health Survey 2015: Webinar 14 th January 2015.

Mental Health Survey 2015: Webinar 14 th January 2015.
Build a CMS Website. The topics this chapter covers are: What is CMS ? What you can do with CMS The benefits and disadvantages of using a content management.

Build a CMS Website. The topics this chapter covers are: What is CMS ? What you can do with CMS The benefits and disadvantages of using a content management.
Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.

Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
LGC Website and Customer On-line Tools LGC RESOURCE 2014.

LGC Website and Customer On-line Tools LGC RESOURCE 2014.
Systems Development Life Cycle Dirt Sport Custom.

Systems Development Life Cycle Dirt Sport Custom.
I18n BOF Raúl E. Mengod López Universidad Politécnica de Valencia.

I18n BOF Raúl E. Mengod López Universidad Politécnica de Valencia.

Similar presentations

Ads by Google