Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys.

Published byCalvin Richard Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys."— Presentation transcript:

1 Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys – An open discussion on cyber security as it pertains to REDCap. Discussion Leaders Brian Man and Kevan Essmyer

2 Why mess with a good thing?
“This (REDCap) is great, but would it be possible to….?” “This is exactly what we want….do you think you could maybe….?” “We’ve got a guy who’ll write our API programs for us...don’t worry about it...” “Mobile app, cool!, all of our team members have phones….” “We need access to the database so we can generate the reports we need…” “It’s HTTPS, so we’re protected...”

3 Twilio Twilio supports the TLS cryptographic protocol.
Clustered architecture reliable high availability service. "Fallback" URLs on incoming phone numbers SMS Low risk -- Secure URL links to REDCap surveys High Risk -- direct text question/response (Non-PHI only)

4 API Limit Token access Project Isolation
Request overhead to limit number of tokens created Responsibility (IRB) Project Isolation API limited to individual project Token use tied to single user account SSL transport layer independent of API security Only effective if the client checks for certificate validation API limited functionality Controlled number of system access points Limited functions

5 Mobile App Mobile Top 10 2016 Improper Platform Usage
Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography Insecure Authorization Poor Code Quality Code Tampering Reverse Engineering Extraneous Functionality -- (Low-ish Risk) Official Release -- REDCap Mobile App Source code tightly controlled Primarily API Developer and user tested Specialized token user rights (Moderate to High Risk) Locally Developed App API clients Monitor Server API Traffic Try to work as a partner if possible Allow access to test server for app testing Information Security Office ← Friends!!!

6 File Sharing features Risk Mitigate Risk Multiple users on system
Unintended transfers of Protected Information (leak) Malware propagation Content is not scanned for malware before upload Host system vulnerability Mitigate Risk Disable Feature (Determined to be high risk, Redundant--site license for Box exists) Virus Scan storage directory Resilient host environment Limit file types

7 More? (Extra Features, plugins, and stuff)
Plugins,hooks, “Special Reporting Scripts or Programs” Secure programming best practices Limit input options Filter free-text input prior to processing Security scans Detect vulnerabilities Standardize/revise best practice components Protected space Plugin access granted only after authentication Make use of “built in” system security container Isolate Abusive Access lockout access until user can explain cause and prove it has been addressed.

8 Discussion Break Who’s worried about security? (Am I doing enough?)
Who’s had security issues? Who’s put off using a feature due concerns?

9 Risk Management “100% secure system --Chernobyl Method-- unplug the box and bury it under 100 tons of cement” Alternative Scheme: Sound workflow policy for using technology Best practices Monitoring Isolation - minimum amount of access necessary Routine security testing Regulatory review boards Data Breach Insurance personal note: Most data issues have been caused by users using regular features -KE

Download ppt "Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys."

Similar presentations

OWASP Mobile Top 10 Beau Woods

OWASP Mobile Top 10 Beau Woods
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
Security Testing Case Study 360logica Software Testing Services.

Security Testing Case Study 360logica Software Testing Services.
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.

An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Similar presentations

Ads by Google