West Virginia University was looking to protect student and staff data… and it found a solution, reports Greg Masters.

When West Virginia University (WVU) was established in 1867 along the banks of the Monongahela River, the patent filing for the telephone was still a decade away, so conveying messages took some time. Fast forward about 150 years, and WVU was facing another challenge with its communications, but this time it was a massive increase in the amount of data traversing its network.

The institution has come a long way from its earliest days as an agricultural college, assembled on the foundation of two former academies and a woman’s seminary and nestled on land that had once been hotly contested among early settlers, British and French military and Native Americans. Now, along with Morgantown Personal Rapid Transit system, a monorail that connects WVU’s three Morgantown campuses with the downtown area, systems are needed as well to transfer data of the institute’s growing population. For its fall 2011 semester, around 33,000 students enrolled. Add to that approximately 6,500 faculty and staff on the main campus in Morgantown, as well as spread across several regional campuses in Montgomery and Keyser, and that’s a lot of personally identifiable information (PII) to protect.

With the ever-increasing threat landscape and new attacks being launched daily, Alex Jalso (left), assistant director in the Office of Information Security at WVU, needed to ensure that web applications, either developed in-house or purchased from vendors, did not have vulnerabilities that would put the university at risk. It was time to transition from a reactive to a proactive approach, he says.

“If a university website containing PII is compromised, there is the direct cost of providing identity protection to all who are impacted and the indirect cost of bad publicity to the university,” he says.

The search is on

Jalso and his staff – along with the WVU Office of Information Technology, which provides educational and administrative computing information – began looking at solutions that might help protect this confidential student and staff data.

When Jalso came on board, the university already had in place IBM’s Rational AppScan, a software tool that performs vulnerability testing to assess applications for security flaws. Assessing the university’s security posture, Jalso says there was no need to make any changes.

“AppScan uses static or white box analysis to scan source code or byte code directly, allowing detailed analysis of potential taint flow and identification of issues pinpointed to the precise line of code,” says Jack Danahy (right), security executive at IBM Rational.

The tool also uses dynamic or black box analysis to analyze complete web applications by automatically crawling the code, mutating server requests and analyzing responses, he says. Further, new JavaScript analyzer capabilities allow AppScan to study client-side JavaScript for potential vulnerabilities, allowing it to identify security flaws that have been overlooked by other tools. And, the latest version of AppScan has added run-time, or glass box, analysis, which monitors apps during a dynamic scan to enhance test coverage.

A noticeable benefit is that the tool provides extensive reporting and collaboration capabilities. This was integral to the WVU’s needs – not just for staff keeping an eye on network activity, but for auditors checking in on the university’s compliance to a number of mandates and guidelines. Jalso found the tool’s ability to share results in a controlled fashion through a web-based reporting interface to be particularly useful.

“Reports can be created for different audiences, such as security professionals, developers, compliance officers and management,” adds IBM’s Danahy. “AppScan has also been designed to integrate with software development lifecycle tools, allowing teams to make security testing part of their process, rather than an expensive afterthought.”

Implementation smooth

With the assistance of IBM’s AppScan Enterprise (ASE) support staff, the deployment of the tool across the enterprise went smoothly, Jalso says. And, he appreciates how easy it is to manage.

One of its biggest assets, Jalso says, helping to meet compliance requirements. “ASE assists with a number of regulations in that it identifies security vulnerabilities and provides compliance reports for applications which contain sensitive information,” he says.

Further, for intrusion detection and intrusion prevention, it helps from a system configuration need, he says. “And for secure coding practices, it is invaluable from a software development need.”

AppScan’s database of attacks and techniques can be updated through its “Live Update” feature, says Danahy. This capability allows users to decide if they want to receive updates whenever AppScan is launched. Once the update process ends, updates are automatically installed in AppScan, and information regarding the specific update appears in the “Updates log.”


[sidebar]

BIG BLUE: New resources

The IBM team of application security experts has led research in this area for 14 years, says Jack Danahy, security executive of IBM Rational. Before arriving at IBM, Danahy was founder and CEO of two technology companies; Qiave Technologies, sold to Watchguard Technologies in 2000, and Ounce Labs, sold to IBM in July of 2009. As well, Danahy served on the board of the Payment Card Industry (PCI) Vendor Alliance, and is a distinguished fellow at the Ponemon Institute.

“Our IBM team has filed many patents, including runtime analysis and the first and broadest patent on web application security scanning issued in 2003,” he says.

The AppScan team has focused on making application security fit into the development environment and the security infrastructure in organizations, says Danahy.

IBM AppScan products are complemented by the IBM Security framework that includes offerings specific to threat mitigation on the network (IBM Security Network IPS), for servers (IBM Security Server Protection) and for databases (IBM Infosphere Guardium), Danahy says.


For reprints of this case study, contact Elton Wong at elton.wong@haymarketmedia.com or 646-638-6101.