Presentation is loading. Please wait.

Presentation is loading. Please wait.

University Wide Vulnerability Scanning Program

Published byGloria McDaniel Modified over 6 years ago

Similar presentations

Presentation on theme: "University Wide Vulnerability Scanning Program"— Presentation transcript:

1 University Wide Vulnerability Scanning Program
Partnering with the campus to secure the campus Gil Salazar | May 16th, 2012 University of Arizona

2 State of the Internet Recent studies show that websites are exposed to serious vulnerabilities every day. The University of Arizona has numerous webpages that serve as the face of its academic programs, research centers, and the University at large. Many of these have web applications that are embedded in the web pages and are exposed to the internet.

3 State of the UA Web space
As the result of a state audit, the Arizona Board of Regents mandated that the three state universities perform annual scans of all internet-facing applications and servers.

4 WebSite Security Concerns
Websites and applications are developed by a wide variety of campus members Often, web development is not their primary job or area of expertise.   Many of the vulnerabilities are contained within custom website code. Websites and applications are developed by a wide variety of campus members: professional staff, faculty, researchers and various levels of graduate and undergraduate students. Many of the vulnerabilities are contained within custom website code. OWASP recognized vulnerabilities are often a result of poor coding.

5 Challenges The Information Security Office consists of a small staff that is not positioned to take on operational work on behalf of the campus. UA campus is highly distributed in tech support and purpose UA’s recent economic environment has put additional pressures at the department level, resulting in a decrease in technical staff members Finding the right scanning tools was/is a challenge.

6 Challenges To ensure success, we needed to organize and streamline the processes as much as possible for the campus IT support groups. Funding for licenses for servers and applications scanners. The UA needed to find a creative, efficient way of fulfilling the scanning requirements.

7 Teamwork The Information Security Office created a project approach to developing and implementing a university-wide scanning program We recruited a working group of 12 IT staff members chosen strategically across the campus. Working together, the campus selected QualysGuard and IBM AppScan tools and recently Qualys Web Application Scanner We recruited a working group of 12 IT staff members chosen strategically across the campus. This group received a free two-day training and certification on IBM AppScan in exchange for assisting in creating a train-the-trainer program. The group met for several months to distill the training program down to four hours and tailor it for a UA-specific scanning program.

8 Logistics The Information Security Office set up a Communication Plan in order to get buy-in from campus leadership and stakeholders university-wide. Setup Scheduling system to manage licenses for each developer for a specific timeframe. Specific instructions were developed to educate campus IT support and developers on use of scanners Needed to create an application and server inventory database. The Information Security Office set up a Communication Plan in order to get buy-in from campus leadership and stakeholders university-wide. This helped to ensure a level of support and understanding of the effort required by server administrators and developers in colleges and administrative units. Licenses needed to be managed for each developer for a specific timeframe. This led to an online request form and ticket tracking to schedule and prep licenses. Specific instructions were developed on the process of scheduling licenses, how to proceed with the scans, remediate issues, create action plans and send in final scan reports. We utilized Graduate Assistants to create an application and server inventory database. The system serves as an initial critical inventory of servers and applications, assists in tracking the annual scanning requirement and provides a process for transparent reporting on the scanning program. Future plans to link the inventory and scanning databases with other central databases, device owners who manage IP address ranges and the SSL Certificate program.

9 Outcomes Created an online information security awareness program session that is mandatory for all UA web developers Created an online training video so that appropriate IT staff from across campus can easily access training and information as required Created scanner support group as a resource for campus Creating an online information security awareness program session that is mandatory for all UA web developers. The training is based on OWASP’s Top Ten. A number of staff with good security expertise assisted with reviewing and validating the training content. The workgroup conducted initial sessions and then worked together to create an online training version so that appropriate IT staff from across campus can easily access training and information as required.

10 Impact to Campus Taking the web development training is a mandatory prerequisite and ensures that both training and scanning work together to create a consistent OWASP Top Ten approach to development of security best practices. The AppScan Train the Trainer Program has been very successful in getting a large cross-section of campus IT staff members trained in using the Application Scan tool. Security has become an integral process in web application development. The communication plan provided a robust and comprehensive way of spreading the word to campus stakeholders of their obligation to ensure that their internet-facing devices and applications are scanned with security tools.

11 Impact to Campus The Information Security Liaisons are responsive to the program and campus buy-in to security is on the rise. Campus web server code is being cleaned up and security vulnerabilities are reduced. The UA has begun to collect metrics on scanning and remediation of vulnerabilities. ABOR’s scanning initiative is being met. The Information Security Liaisons are responsive to the program because we have provided support for their efforts with stakeholders and provided much needed organization and streamlining to make the process as efficient as possible for them.

12 Scans Completed

13 Questions??? Gil Salazar Information Security Analyst, Senior

Download ppt "University Wide Vulnerability Scanning Program"

Similar presentations

University of Minnesota Duluth Design and Implementation of a Comprehensive Campus Assessment System Jackie.

University of Minnesota Duluth Design and Implementation of a Comprehensive Campus Assessment System Jackie.
1 Program Performance and Evaluation: Policymaker Expectations 2009 International Education Programs Service Technical Assistance Workshop Eleanor Briscoe.

1 Program Performance and Evaluation: Policymaker Expectations 2009 International Education Programs Service Technical Assistance Workshop Eleanor Briscoe.
Coordinating Center Overview November 18, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Healthy Heart Project Initiative: Year 1 Meeting 1.

Coordinating Center Overview November 18, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Healthy Heart Project Initiative: Year 1 Meeting 1.
INSTRUCTIONAL LEADERSHIP FOR DIVERSE LEARNERS Susan Brody Hasazi Katharine S. Furney National Institute of Leadership, Disability, and Students Placed.

INSTRUCTIONAL LEADERSHIP FOR DIVERSE LEARNERS Susan Brody Hasazi Katharine S. Furney National Institute of Leadership, Disability, and Students Placed.
Luminis (Campus Portal) Overview Presented by: Gary Ham – Chief Information Officer North Shore Community College.

Luminis (Campus Portal) Overview Presented by: Gary Ham – Chief Information Officer North Shore Community College.
Katherine Kingston EDLD 5362.8021 May 15, 2011 This presentation will see just how well Galena Park ISD’s technology plan compares with the National.

Katherine Kingston EDLD May 15, 2011 This presentation will see just how well Galena Park ISD’s technology plan compares with the National.
Information Technology Assessment Review Presented to the Board of the State Center Community College District.

Information Technology Assessment Review Presented to the Board of the State Center Community College District.
Academic & Career Success Instant access for all faculty, staff, students, and parents—day or night. Online Training to Meet the Needs of Today’s Campus.

Academic & Career Success Instant access for all faculty, staff, students, and parents—day or night. Online Training to Meet the Needs of Today’s Campus.
PROJECT OBJECTIVES Identify, procure, and implement software that provided a common system for students, faculty, and staff to enter and measure.

PROJECT OBJECTIVES Identify, procure, and implement software that provided a common system for students, faculty, and staff to enter and measure.
Institutional Advancement As of December 7, 2009.

Institutional Advancement As of December 7, 2009.
6 Key Priorities A “scorecard” for each of the 5 above priorities with end of 2009 deliverables – with a space beside each for a check mark (i.e. complete)

6 Key Priorities A “scorecard” for each of the 5 above priorities with end of 2009 deliverables – with a space beside each for a check mark (i.e. complete)
Tier 2/ Tier 3 Planning for Sustainability Rachel Saladis WI PBIS Network/Wi RtI Center Katrina Krych Sun Prairie Area School District.

Tier 2/ Tier 3 Planning for Sustainability Rachel Saladis WI PBIS Network/Wi RtI Center Katrina Krych Sun Prairie Area School District.
By Monica Y. Peters, Ph.D. Coordinator of Institutional Effectiveness/QEP Office of Quality Enhancement.

By Monica Y. Peters, Ph.D. Coordinator of Institutional Effectiveness/QEP Office of Quality Enhancement.
Project 3 Supporting Technology. Project Proposal.

Project 3 Supporting Technology. Project Proposal.
Staff Assessment Technology Services Department Palmyra Area School District.

Staff Assessment Technology Services Department Palmyra Area School District.
Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.

Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.
Focus for the Future Technology-Related Proposals 4-24-14 Daniel Ewart, CIO.

Focus for the Future Technology-Related Proposals Daniel Ewart, CIO.
FACE | 20 FULL-TIME POSITIONS 1 (1) Assistant Superintendent for Family and Community Engagement Leads a team to engage parents in their child’s education.

FACE | 20 FULL-TIME POSITIONS 1 (1) Assistant Superintendent for Family and Community Engagement Leads a team to engage parents in their child’s education.
WELCOME.

WELCOME.
AdvancED Accreditation External Review October 23-26, 2016

AdvancED Accreditation External Review October 23-26, 2016

Similar presentations

Ads by Google