Web Applications, University Policy, and Security Assistance
Related services: Vulnerability Scanning
Because websites and web applications have to operate in an environment that’s more challenging than ever, university policy requires them to pass vulnerability scanning before they are first launched and every time there's a major upgrade or change. Easy-to-use services available from the IT Security Office (ITSO) can identify and fix potential problems before launch and prevent websites and web applications from becoming a target for criminals looking for ways to break in.
Members of the Cornell community who manage web applications must verify that the apps:
- Handle data securely.
- Are free of vulnerabilities.
- Don’t collect or store any information they’re not allowed to.
Why it’s important to keep web applications secure
Among the top issues in IT security today, several relate directly to web apps.
There’s a need to:
- Manage the security life cycle of all in-house-developed and acquired software in order to prevent, detect, and correct security weaknesses.
- Inventory, track, and correct all software on the network so that only authorized software is installed and can run, and that unauthorized and unmanaged software is found and prevented from doing so.
- Minimize avenues for possible attack and opportunities for attackers to manipulate people’s interaction with the web and email.
Services from the IT Security Office
ITSO provides services that can help you with these tasks. They include:
- Scan on Demand, an easy-to-use, web-based, feature-rich, and up-to-date general-purpose vulnerability scanner.
- IT staff access to a web-based vulnerability scanning utility, AppSpider, also easy to use, feature-rich, and current with the latest vulnerability scanning signatures.
- On-request scans of networks, websites, or applications.
Building in security from the beginning
To factor in security concerns from the start, and so weed out potential issues much earlier in the selection or development process, you can think about:
- How you assess the risks of new technologies, software deployment, software development, and partnerships with cloud vendors.
- How good information security practices factor into your development or deployment decisions.
To support these types of evaluations, the IT Security Office, in partnership with central IT, security liaisons, NYSERNet, and SANS, created a program to improve web application security on campus. The program combines:
- Commercial training
- Safer alternative web app development offerings
- Server security improvements
- Improved network intrusion detection
- Web application firewalls in the data center
- High-fidelity vulnerability scanning
- Professional consulting by Security Engineering
One component in this effort was a course, Defending Web Applications Security Essentials (SANS DEV522), hosted on campus spring 2016 and attended by a number of IT professionals from across Cornell. Similar future opportunities will be promoted in the IT@Cornell News email sent weekly to all staff in IT roles at the university. Watch for these and other news from the IT Security Office to support your efforts to run strong, secure web applications.
Reporting electronic security incidents
As outlined in University Policy 5.4.2, when a vulnerability hasn’t been addressed using the processes above and is exploited, any electronic security incident must be reported promptly to the IT Security Office. They will evaluate it for potential of a breach of institutional information and fix problems immediately.
For more information, see Vulnerability Scanning.