When West Virginia University (WVU) was first established in 1867, the patent filing for the telephone was still a decade away, so conveying messages took some time. Fast forward about 150 years, and WVU was facing another challenge with its communications, but this time it was a massive increase in the amount of data traversing its network.
It has come a long way from its earliest days as an agricultural college. For its Fall 2011 semester, around 33,000 students enrolled. Add to that approximately 6,500 faculty and staff on the main campus in Morgantown, as well as spread across several regional campuses in Montgomery and Keyser, and that's a lot of personally identifiable information (PII) to protect.
There are around 120 staff in the the university's Office of Information Technology charged with the task. The Office of Information Technology is one of approximately 24 independent IT units across WVU.
With the ever-increasing threat landscape and new attacks being launched daily, Alex Jalso (left), assistant director in the Office of Information Security at WVU, needed to ensure that web applications, both those developed in-house and purchased from vendors, did not have vulnerabilities that would put the university in an information security liability situation. It was time to transition from a reactive to a proactive approach, he says.
"If a university website containing PII is compromised, there is the direct cost of providing identity protection to all who are impacted and the indirect cost of bad publicity to the university," he says.
He and his staff, along with the college's Office of Information Technology management, began looking at solutions that might help protect student and staff data.
IBM's Rational AppScan Standard, a tool that assesses applications for security vulnerabilities and provides actionable reports, was already in use at the university when Jalso came on board.
After examining a number of other security solutions, Jalso says there was no need to make any changes.
"AppScan uses static or white box analysis to scan source code or byte code directly, allowing detailed analysis of potential taint flow and identification of issues pinpointed to the precise line of code," says Jack Danahy (right), security executive at IBM Rational.
It uses dynamic or black box analysis to analyze complete web applications by automatically crawling the application, mutating server requests and analyzing responses, he says. New Javascript Analyzer capabilities allow AppScan to also analyze client-side Javascript for potential vulnerabilities, allowing AppScan to identify security flaws that have been overlooked by other tools. And, AppScan has added runtime or Glassbox analysis which monitors applications during a dynamic scan to significantly enhance test coverage and accuracy.
A noticeable benefit for Jalso's team at WVU was that AppScan provides extensive reporting and collaboration capabilities, which permit results to be shared in a controlled fashion through a web-based reporting interface.
"Reports can be created for different audiences, such as security professionals, developers, compliance officers and management," says IBM's Danahy. "AppScan has also been designed to integrate with software development lifecycle tools, allowing teams to make security testing part of their process, rather than an expensive afterthought."
AppScan's database of attacks and attack techniques can be updated through its "Live Update" feature, adds Danahy. This feature allows users to decide if they want to receive updates whenever AppScan is launched. Once the update process ends, updates are automatically installed in AppScan, and information regarding the specific update will appear in the "Updates log."
With the assistance of IBM's AppScan Enterprise support staff, the deployment of the tool across the entire university enterprise went smoothly and Jalso was pleased with the implementation. And, he is finding it is easy to manage and operate and its functionality is meeting his expectations.
One of its biggest assets, Jalso says, is its help in meeting compliance requirements. "ASE assists with a number of regulations in that it identifies security vulnerabilities and provides compliance reports for applications which contain sensitive information," he says.
The tool assists in a number of areas, he says. "For compliance to FERPA, HIPAA and PCI regulations it identifies security vulnerabilities and provides reports for applications which contain sensitive information," he says. "For intrusion detection and intrusion prevention it helps from a system configuration need. And for secure coding practices, it is invaluable from a software development need."
