A Strategy… Nancy N. Soreide NOAA/PMEL NOAA WebShop 2004 July 27-29, 2004, Philadelphia, PA For improving the security of Web and Internet applications.

Slides:

Advertisements

Similar presentations

1 Stakeholder Engagement in Relu Jeremy Phillipson Assistant Director, Relu Programme.

Advertisements

Near East Plant Protection Network for Regional Cooperation & Knowledge Sharing Food and Agriculture Organization of the United Nations An Overview on.

Major Incident Process

Welcome to CMPE003 Personal Computer Concepts: Hardware and Software Winter 2003 UC Santa Cruz Instructor: Guy Cox.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Network Redesign and Palette 2.0. The Mission of GCIS* Provide all of our users optimal access to GCC’s technology resources. *(GCC Information Services:

PATIENT-CENTERED OUTCOMES RESEARCH INSTITUTE PCORI Board of Governors Meeting Washington, DC September 24, 2012 Sue Sheridan, Acting Director, Patient.

Tom Sheridan IT Director Gas Technology Institute (GTI)

TAC Vista Security. Target  TAC Vista & Security Integration  Key customer groups –Existing TAC Vista users Provide features and hardware for security.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

Copyright 2002 Prentice-Hall, Inc. Chapter 1 The Systems Development Environment 1.1 Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer.

Coordinating Center Overview November 18, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Healthy Heart Project Initiative: Year 1 Meeting 1.

Coordinating Center Overview November 16, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Diabetes Prevention Program Initiative: Year 1 Meeting 1.

An Introduction to the Hennepin County Hennepin County GIS Technical Advisory Group (eGTAG) 10/20/2009.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.

Sample School Website Sydney Region ITSU School Support

Adapting to Climate Change: Canada’s Experience and Approach Elizabeth Atkinson Climate Change Impacts and Adaptation Directorate Natural Resources Canada.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Agricultural Biotechnology Network for Regional Collaboration and Knowledge Sharing Food and Agriculture Organization of the United Nations An Overview.

Magdi Latif Regional Knowledge and Information Management Officer FAO Partnership, Advocacy and Capacity Development Division FAORNE Jordan Plant Genetic.

Information and Communication Technologies in the field of general education in Armenia NATIONAL CENTER OF EDUCATIONAL TECHNOLOGIES.

Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.

Client/Server Architectures

Anthony Atkins Digital Library and Archives VirginiaTech ETD Technology for Implementers Presented March 22, 2001 at the 4th International.

Marketing and Outreach: The Arctic Theme Page and Arctic Change Detection Nancy Soreide NOAA/PMEL May 17-18, Boulder, CO “… combining the interests of.

Integrated PPM Governance Leveraging Org Change Management for PPM Process Implementations Presented by: Allan Mills.

The Internetworked E-Business Enterprise

Use of OCAN in Crisis Intervention Webinar October, 2014.

Roles and Responsibilities

Copyright 2002 Prentice-Hall, Inc. Chapter 1 The Systems Development Environment 1.1 Modern Systems Analysis and Design.

AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS (Cont’d) Instructor Ms. Arwa Binsaleh.

Mainstream Market for Products produced by Micro Entrepreneurs and means to sell in Larger Market Place.

MIS3300_Team8 Service Aron Allen Angela Chong Cameron Sutherland Edment Thai Nakyung Kim.

JOINT STRATEGIC NEEDS ASSESSMENT Rebecca Cohen Policy Specialist, Chief Executive’s.

Challenges in Urban Meteorology: A Forum for Users and Providers OFCM Workshop Summaries Lt Col Rob Rizza Assistant Federal Coordinator for USAF/USA Affairs.

INNOWATER Introduction to Business Proposition Toolkit July 2013.

Adaptation knowledge needs and response under the UNFCCC process Adaptation Knowledge Day V Session 1: Knowledge Gaps Bonn, Germany 09 June 2014 Rojina.

 What is intranet What is intranet  FeaturesFeatures  ArchitectureArchitecture  MeritsMerits  applicationsapplications  What is ExtranetWhat is.

National Center for Supercomputing Applications NCSA OPIE Presentation November 2000.

U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.

1 Women Entrepreneurs in Rural Tourism Evaluation Indicators Bristol, November 2010 RG EVANS ASSOCIATES November 2010.

IFAP Special Event: Information and Knowledge for All, Emerging Trends and Challenges Information Preservation 4000 Years of Traditions Challenged by Digital.

Computer Emergency Notification System (CENS)

ESIP Federation Air Quality Cluster Partner Agencies.

Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.

1 IBM TIVOLI Business Continuance Seminar Training Document.

Moving from Paper to Project Operationalizing Opportunities Identified During Technology Needs Assessments CTI Side Event, SBSTA 18, 6 June 2003.

ST-09-01: Catalyzing Research and Development (R&D) Funding for GEOSS Florence Béroud, EC Jérome Bequignon, ESA Kathy Fontaine, US ST Kick-off Meeting.

Sample School Website. What is wrong with the existing School Webspace Site? Can only host static pages – no dynamic content possible. Can not be edited.

ELOGMAR-M Review Meeting, Shenzhen, 31/03/ First Review Meeting - Web-based and Mobile Solutions for Collaborative Work Environment with Logistics.

GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.

ESIP Vision: “Achieve a sustainable world” by Serving as facilitator and advisor for the Earth science information community Promoting efficient flow of.

Creating Successful Theme-based Web Pages Theme-based web sites provide users with a coherent in-depth narrative on a single topic Nancy N. Soreide NOAA/PMEL.

Developing a Framework In Support of a Community of Practice in ABI Jason Newberry, Research Director Tanya Darisi, Senior Researcher

GLOBAL PARTNERSHIP ON MARINE LITTER.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

Janus Project Update Planning Group April 6, 2000.

Advancing Government through Collaboration, Education and Action Discovery Management Zone (DMZ) Emerging Technology (ET) Shared Interest Group (SIG)

KNOWLEDGE MANAGEMENT Pertemuan-8

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Using Java, XML and XSLT to create secure internal access to local NOAA Research Science project and budget information Jason E. Fabritz, NOAA/PMEL-JISAO/UW.

Web development. What is web development? - It is a broad term for the work involved in developing a web site for the Internet - It can range from developing.

Roles and Responsibilities

Planning a Quality Roadmap to Reinvent and Improve Services

Relate to Clients on a business level

Chapter 27 WWW and HTTP.

Model-View-Controller Patterns and Frameworks

IT Next – Transformation Program

Presentation transcript:

A Strategy… Nancy N. Soreide NOAA/PMEL NOAA WebShop 2004 July 27-29, 2004, Philadelphia, PA For improving the security of Web and Internet applications

Creation of successful web pages is critical to supporting NOAA’s mission strategy to: “Engage, advise, and inform individuals, partners, communities, and industries to facilitate information flow, assure coordination and cooperation, and provide assistance in the use, evaluation, and application of information” NOAA Strategic Plan, updated for FY2005-FY2010

NOAA projects are famous for interactive web pages that produce information and data as customized graphics, listings and animations of scientific data for the user. *NOAA Strategic Plan, updated for FY2005-FY2010 In fact, NOAA websites that present NOAA science, data, analysis and information in a manner that is clear, scientifically validated, useful, interesting and intelligible by a broad audience are critical to supporting NOAA in promoting “increased use and effectiveness of climate information for decision makers and managers” *

High Technology Web and Internet Applications Creation of effective and easily navigated web pages, for which NOAA is famous, requires that developers utilize high technology solutions: –Back-end Java applets –Common Gateway Interface (CGI) scripts –Database access methodologies –Content management products and solutions Security considerations require that developers recognize and address potential vulnerabilities. However, interactions between computer/network security specialists and developers have traditionally been minimal.

Who has the expertise to address application security issues? The expertise for developing secure web pages lies within NOAA’s skilled developer community.

A strategic approach to improving Web and Internet application security within an organization… Must combine the efforts of skilled developers and IT security experts who manage computer and network security. Therefore…

Developer Forums Bringing security staff and developers together Objectives: –Raise security awareness within the organization’s IT community –Alert developers to security issues and potential vulnerabilities –Share technical expertise and solutions –Identify secure programming practices to minimize vulnerabilities –Initiate a dialog amongst developers and security experts –Make developers part of the IT security process –Security training

Developer Forums Who should participate in the Forum? –Organization’s ITSO and CIO –Skilled Web and Internet application developers –Computer and network security experts –Any other interested staff Programmers who may not be developing for the Internet or the Web, other interested technical staff, Project scientists, management, …

Developer Forums Invited presentations from: –ITSO and CIO to provide context on the magnitude and importance of web/internet security issues –Skilled Web and Internet application developers secure programming in their area of expertise –Computer and network security experts where applicable to the forum topics

Developer Forums Forum focus topics: –General Internet/Web security issues –Common Gateway Interface (CGI) scripts –Database access from a web page –Secure PHP configuration and scripting –Generic, secure, feedback script to avoid harvesting –Java and JavaScript –XML –Apache configuration and extensions –Multi-tiered applications that isolate web clients from primary databases

Developer Forums Example: –Forum on Secure CGI programming CIO and ITSO –established background and context Developers made presentations: –Secure Perl CGI scripting –Secure PHP configuration and scripting –Wrapper utilities that eliminate the need to write perl or other scripts –Provided relevant references and Web Links Door prizes: books on secure programming practices Solicited ideas for future Forum topics Required that one representative from each Project within our organization attend this Forum

Developer Forums Example: –Invited speaker from the NOAA CIRT (Diane Davidowicz) Increased understanding of security experts concerns Increased awareness of security incidents in NOAA Underscored the importance of security to the organization Stimulated interest in addressing potential vulnerabilities Generated ideas about how security could be improved Included developers in the IT security process Required that one representative from each Project within our organization attend this Forum

Developer Forums How well have they worked? –Forums have raised awareness of IT security issues –Developers liked the Forums, and requested more on other topics –Developers felt they benefited from the interaction and technical dialog –Developers and security staff better understand one another’s concerns –Developers have initiated IT security improvements within their own projects –Developers and security staff are both involved in security process –At the organizational level, other OAR Senior IT managers requested our Forum web pages

Partnerships Security issues extend beyond workstations, servers, desktop computers and networks, password and patch management, and other issues traditionally addressed by a computer support group. Improved communication and a sense of partnership between the computer/networking specialists and programmers is key and critical to a secure IT environment with secure Web and Internet applications. The Forums bring these two groups together and focuses them on a common goal. Policy is easier to implement if IT security staff and developers are already engaged in partnerships and dialogs. When developers are brought into the security process, security is built into applications from the beginning, improving the efficiency and effectiveness of the process.

A cooperative project: Isolating the Web Server outside of the firewall –Content mirrored automatically from inside to outside firewall –Web applications access mirrored databases not primary database –Dedicated Web Server (no other applications) –No user login accounts on the Web Server –Reduces overhead, such as backups –Meets security needs without impacting developer productivity Although laboratory security experts had been considering a migration towards an isolated web server… The idea occurred independently to one of the Projects (after one of the Forums) … and they are already moving towards an implementation, in partnership with security staff, that will serve as a testbed for other Projects –Web Server isolation is being accomplished more quickly than would otherwise be possible, because developers and security staff both have ownership from the beginning of the process.

A future project: Use a Layer 7 switching technology or product such as Cisco’s Local Director –Separates the IP address or URL from a specific piece of hardware –Supports an IP / URL with multiple backend web servers –Allows security patching without service interruption –Assures availability –Manages local load balancing

Web pages are critical to meeting NOAA’s strategic goal to “engage, advise, and inform individuals, partners, communities, and industries” A strategy is needed to address the security of Web and Internet applications Involving developers and IT security staff in dialog and partnerships is critical to securing NOAA Web and Internet applications Summary