IT SECURITY AT UCLA:

1
IT SECURITY AT UCLA TOOLS AND RESOURCES AT YOUR
DISPOSAL
Information Security Office UCLA IT Services
Alex M. Podobas
2
Topics

• I. IT Security at UCLA A Brief Overview
• II. What is AppScan? (...and I care why,
  exactly?)
• III. Using AppScan in the Software Development
  Life Cycle
• IV. Making the Case for Using AppScan to Test
  Third-Party Community-Supplied Additions

3
I. UCLA IT Security Office
Whats Our Role In This?
4
I. IT Security at UCLA An Overview

• The IT Security Office operates from UCLA IT
  Services.
• It is responsible for information security
  practices, technology, and policies across
  non-medical units at UCLA.
• A big part of our strategy is making available
  not only stellar, industry-standard testing tools
  but also in promoting their use through public
  talks and pragmatic education resources

5
So What, Though?
Web apps at UCLA do business in two currencies
money and information.
And very often, in both.
A central premise is that we at UCLA deal in
information. Users must, and expect to, trust
the many sources of information that the
University makes available.
6
II. What is AppScan?

• An overview

7
II. What is AppScan?

• AppScan is a vulnerability assessment tool
• Provided by IBM and licensed by the IT Security
  Office. We provide it for free to campus
  departments and encourage its frequent use (we'll
  get to that in a minute)
• AppScan allows you to run it against websites,
  web applications, and their backend features and
  evaluate their existent security measures against
  most known vulnerabilities.

8
II. What is AppScan? Made Easy to Use

• Accessed from the web browser. Absolutely
  nothing to install, configure, or set up.
• Easy-to-use user interface.
• Excellent IBM training reference guides.
• Ability to assign custom-made security policies
  to groups, and assign users to groups. This is a
  very popular and well-used feature for campus web
  devs.

9
II. What is AppScan?
Fully managed by IT Security Office
Support, Training, and Vulnerability Mitigation
Advice

• This is anything but an unsupported campus
  product. We manage it, issue and manage
  accounts, and create group policies.
• IT Security is always willing to
• Provide customized, one-on-one, and group
  sessions training for potential or current
  AppScan users.
• Help interpret AppScan reports and provide
  suggestions.

10
II. What is AppScan? Generated Reports

• AppScan auto-generates readable reports of all
  potential security issues that were found in the
  last performed scan.
• The level of detail is great.
• View vulnerability type by code line
• Detailed vulnerability explanation
• Suggested mitigation measures

11
III. AppScan and the Web App SDLC

• No one and no ones affiliated group or
  department wants to end up on the front page of
  the Daily Bruin or the L.A. Times.

12
III. Making the Case

• AppScan in Web App Development and the SDLC
• (Software Development Life Cycle)

13
III. AppScan and the SDLC

• Security itself can be an abstract concept and,
  unfortunately, many who work in web regard it as
  an afterthought.
• In the context of information security, AppScan
  is not a cure-all solution (for example, it wont
  solve poor framework design decisions), but it
  can certainly assist identifying potential
  vulnerabilities

14
Key Advantages

• AppScan detects
• Embedded malware
• Cross-Site Request Forgery
• Weak password requirements
• Unsecured login forms
• Session management errors
• Input validation (HTML, injection, SQL injection
  and XSS attacks)
• Parameter manipulation (for cookie and hidden
  field attacks)

• Compliance reports for HIPAA, PCI, GLB

15
III. AppScan and the SDLC Advantages
AppScans Advantages

• Use it as a tool to validate that your
  application is functioning properly. Security is
  a major part of this because insecure web apps
  don't serve their purpose of being reliable
  sources of information.
• Killing two birds with one stone testing
  application functionality in part by testing its
  security. For example, use AppScan to see if a
  form with inputs that communicates with a backend
  database is working properly. This tests an
  application's logic integrity (more compelling
  for the developer) and also gives real-time
  feedback.

16
III. AppScan and the SDLC Advantages
AppScans Advantages

• When you make any change (be it to code, the
  underlying database, or your backend hosting
  system), you immediately invalidate the results
  of prior security tests, including AppScan tests.
  Make it part of the SDLC routine.
• This is expensive in terms of time because taking
  the time to run AppScan only once, when changes
  are then made after, becomes a waste of time and
  yields invalid results.

17
III. AppScan and the SDLC Considerations
AppScan Considerations

• AppScan is incredibly invasive. It can inject bad
  SQL data and even cause DoS (Denial of Service).
• It can cause dramatic performance reductions
  (including lower read/write database speeds and
  script processing).
• Therefore, we strongly recommend testing your web
  apps in a sandbox, outside of a production web
  server environment.

18
IV. Making the Case

• AppScan and Third-Party, Community Supplied
  Software

19
IV. AppScan and Third-Party Software

• We live in a web where free additions to
  platforms are readily available, easy to obtain,
  and easy to install.
• Free plugins, add-ons and enhancements are part
  of ever-growing marketplaces for products like
  WordPress, Joomla, Plone, and yum for RPM systems
  (Fedora, CentOS), among many others

20
IV. AppScan and Third-Party Software
Human nature has a tendency to trust, especially
when a trusted source makes available software
under its name. In each of these examples below,
the name lends a false allure of credence to the
third-party software

• "WordPress Plugin"
• "Joomla Extension"
• "Plone Add-On"
• "jQuery plugin"

21
IV. AppScan and Third-Party Software
Example 1 Joomlas Official Vulnerable
Extensions List
http//docs.joomla.org/Vulnerable_Extensions_List

• A prolific list of approximately 164 Joomla
  extensions with known exploits
• These are largely comprised of XSS, file upload,
  and SQL injection issues. The very
  vulnerabilities that AppScan is so adept at
  catching.

22
IV. AppScan and Third-Party Software
Example 2 Secunias WordPress Vulnerability
Records
http//secunia.com/advisories/product/SOFT_W/list

• Secunia is a reputable European security firm,
  based in Denmark. Like Sophos, it also maintains
  a public-facing record of WordPress plugin
  vulnerabilities.
• These are largely comprised of XSS, file upload,
  and SQL injection issues. The very
  vulnerabilities that AppScan is so adept at
  catching.

23
IV. AppScan and Third-Party Software
Dont Blindly Trust Community-Supplied Software

• A common assumption is that plugins obtained from
  a source like WordPress, Plone, or Joomla are
  also safe. This is a risky approach and increases
  the risk of your web application becoming
  compromised.
• You simply can never be sure that the third-party
  software, or the unique combination of plugins
  you use together, has been vetted for security.
  These are an often overlooked attack vector.

24
Getting Aboard
I want to use it! What do I do?

• Visit itsecurity.ucla.edu/appscan
• View a product summary, this presentation, and a
  contact form. Fill that out to get started. We
  will handle issuing you an account, creating
  group policies, set up a training session, and
  whatever you need to get started with AppScan.

25
Last But Not LeastLets Follow Up
Follow and Keep Up With UCLA IT Security
_at_UCLAIT_Security Security Alerts and Advisories
www.itsecurity.ucla.edu Security listserv and many pragmatic reference and educational resources