Case study: An educated decision
Case study: An educated decision

West Virginia University was looking to protect student and staff data... and it found a solution, reports Greg Masters.

When West Virginia University (WVU) was established in 1867 along the banks of the Monongahela River, the patent filing for the telephone was still a decade away, so conveying messages took some time. Fast forward about 150 years, and WVU was facing another challenge with its communications, but this time it was a massive increase in the amount of data traversing its network.

The institution has come a long way from its earliest days as an agricultural college, assembled on the foundation of two former academies and a woman's seminary and nestled on land that had once been hotly contested among early settlers, British and French military and Native Americans. Now, along with Morgantown Personal Rapid Transit system, a monorail that connects WVU's three Morgantown campuses with the downtown area, systems are needed as well to transfer data of the institute's growing population. For its fall 2011 semester, around 33,000 students enrolled. Add to that approximately 6,500 faculty and staff on the main campus in Morgantown, as well as spread across several regional campuses in Montgomery and Keyser, and that's a lot of personally identifiable information (PII) to protect.

With the ever-increasing threat landscape and new attacks being launched daily, Alex Jalso (left), assistant director in the Office of Information Security at WVU, needed to ensure that web applications, either developed in-house or purchased from vendors, did not have vulnerabilities that would put the university at risk. It was time to transition from a reactive to a proactive approach, he says.

“If a university website containing PII is compromised, there is the direct cost of providing identity protection to all who are impacted and the indirect cost of bad publicity to the university,” he says.

The search is on

Jalso and his staff – along with the WVU Office of Information Technology, which provides educational and administrative computing information – began looking at solutions that might help protect this confidential student and staff data.

When Jalso came on board, the university already had in place IBM's Rational AppScan, a software tool that performs vulnerability testing to assess applications for security flaws. Assessing the university's security posture, Jalso says there was no need to make any changes.

“AppScan uses static or white box analysis to scan source code or byte code directly, allowing detailed analysis of potential taint flow and identification of issues pinpointed to the precise line of code,” says Jack Danahy (right), security executive at IBM Rational.

The tool also uses dynamic or black box analysis to analyze complete web applications by automatically crawling the code, mutating server requests and analyzing responses, he says. Further, new JavaScript analyzer capabilities allow AppScan to study client-side JavaScript for potential vulnerabilities, allowing it to identify security flaws that have been overlooked by other tools. And, the latest version of AppScan has added run-time, or glass box, analysis, which monitors apps during a dynamic scan to enhance test coverage.

A noticeable benefit is that the tool provides extensive reporting and collaboration capabilities. This was integral to the WVU's needs – not just for staff keeping an eye on network activity, but for auditors checking in on the university's compliance to a number of mandates and guidelines. Jalso found the tool's ability to share results in a controlled fashion through a web-based reporting interface to be particularly useful.

“Reports can be created for different audiences, such as security professionals, developers, compliance officers and management,” adds IBM's Danahy. “AppScan has also been designed to integrate with software development lifecycle tools, allowing teams to make security testing part of their process, rather than an expensive afterthought.”