Case study: An educated decision
Case study: An educated decision
West Virginia University was looking to protect student and staff data... and it found a solution, reports Greg Masters.
When West Virginia University (WVU) was established in 1867 along the banks of the Monongahela River, the patent filing for the telephone was still a decade away, so conveying messages took some time. Fast forward about 150 years, and WVU was facing another challenge with its communications, but this time it was a massive increase in the amount of data traversing its network.
The institution has come a long way from its earliest days as an agricultural college, assembled on the foundation of two former academies and a woman's seminary and nestled on land that had once been hotly contested among early settlers, British and French military and Native Americans. Now, along with Morgantown Personal Rapid Transit system, a monorail that connects WVU's three Morgantown campuses with the downtown area, systems are needed as well to transfer data of the institute's growing population. For its fall 2011 semester, around 33,000 students enrolled. Add to that approximately 6,500 faculty and staff on the main campus in Morgantown, as well as spread across several regional campuses in Montgomery and Keyser, and that's a lot of personally identifiable information (PII) to protect.
With the ever-increasing threat landscape and new attacks being launched daily, Alex Jalso (left), assistant director in the Office of Information Security at WVU, needed to ensure that web applications, either developed in-house or purchased from vendors, did not have vulnerabilities that would put the university at risk. It was time to transition from a reactive to a proactive approach, he says.
The search is on
Jalso and his staff – along with the WVU Office of Information Technology, which provides educational and administrative computing information – began looking at solutions that might help protect this confidential student and staff data.
When Jalso came on board, the university already had in place IBM's Rational AppScan, a software tool that performs vulnerability testing to assess applications for security flaws. Assessing the university's security posture, Jalso says there was no need to make any changes.
“AppScan uses static or white box analysis to scan source code or byte code directly, allowing detailed analysis of potential taint flow and identification of issues pinpointed to the precise line of code,” says Jack Danahy (right), security executive at IBM Rational.
A noticeable benefit is that the tool provides extensive reporting and collaboration capabilities. This was integral to the WVU's needs – not just for staff keeping an eye on network activity, but for auditors checking in on the university's compliance to a number of mandates and guidelines. Jalso found the tool's ability to share results in a controlled fashion through a web-based reporting interface to be particularly useful.
“Reports can be created for different audiences, such as security professionals, developers, compliance officers and management,” adds IBM's Danahy. “AppScan has also been designed to integrate with software development lifecycle tools, allowing teams to make security testing part of their process, rather than an expensive afterthought.”
