Start Secure. Stay Secure.TM

University of Missouri Takes Web Application Security Seriously
CASE STUDY
How the first public university west of the Mississippi took steps to cost effectively and efficiently protect its students and staff from malicious Web application attacks that have cost several educational institutions in recent history the compromise of highly confidential data and placed their reputations on the line.

Background
As the online world continues to mature and becomes a standard way of doing business - personally and professionally - cyber criminals keep looking for their next victim to fall prey and allow them unauthorized access into their network. It seems that more and more educational institutions are becoming prime targets for various online malicious activities, which range from identity theft to data theft, to unauthorized changes made to academic standings by mischievous students. Unfortunately, very public breaches of online information have already occurred in educational institutions - from Ivy League colleges to state university systems - proving the common thread that a weak link exists. The key dilemma that faces IT administrators at these schools is the ability to maintain an open enough network for the convenience and benefit of students and staff, while still protecting those same students and staff from potential victimization by online attackers.

University of Missouri Takes Web Application Security Seriously
The Challenges of Web Application Security
The University of Missouri-Columbia was founded in 1839 as the first public university west of the Mississippi River. Today, more than 27,000 students attend the University. As with most established universities and organizations, the University of Missouri is doing what it can with current budgets and resources to establish a secure online environment for its staff of over 12,000 and its large student body, but the challenges are daunting. Allen Brokken has been the Security Auditing Team Lead for the University of Missouri-Columbia since 2004. His primary role is to audit the systems and applications in use at the University. When Allen began his position at the University, he used an internal cookbook composed of free Web application analysis tools and manual methods to review critical Web applications to determine what was vulnerable and what was secure. Through his review of many of the University's Web sites - including e-commerce sites Allen was faced with addressing the key issue of too many false positives and an inaccurate sense of the true state of any applications level of security. According to Allen, "It took our team from four to eight hours to review a single page, and two to three days using the tools I created to assess the e-commerce functionality of the University's e-commerce sites." It quickly became apparent that a comprehensive, automated, flexible tool was needed to save time and overall resources in assessing the security of current applications in use, as well as to help maintain a consistent and proactive approach to secure development of new applications for the University. For over a year, SPI Dynamics' WebInspect Web application security assessment product has helped ensure the security of the University of Missouri's Web applications by identifying known and unknown vulnerabilities within the Web application layer. With WebInspect, application developers, quality assurance (QA) professionals, auditors, compliance officers, and security experts can perform security assessments on a Webenabled application or Web service to help create and maintain secure Web applications throughout the Facing an overwhelming task of proactively maintaining a secure Web application environment, Allen began to look into various options for automating his process for a more robust security assessment of his Web applications. In August 2004, Allen was introduced to SPI Dynamics at a Microsoft Security Summit where he learned of the company's industry leading Web application assessment product, WebInspect. Intrigued at the potential benefits of WebInspect for his organization, Allen acquired an evaluation version of the WebInspect product and conducted an independent test using his original, home-grown process of assessment compared to that of WebInspect's assessment process. Through his original process, it took a full two business days to complete the audit, whereby only two potential security issues were discovered. However, when WebInspect was used, it took a mere two hours to generate a comprehensive report detailing other issues that were not discovered in his original process. The results were clear: there were no false positives and WebInspect clearly was the most time-effective solution. Allen adds, "Based on the results of my independent tests and endorsement from outside sources, I became confident that WebInspect was the right choice. No tools out there that I encountered had the feature set like WebInspect, nor the high ranking on independent tests against competing products."

CASE STUDY

Allen also found the SPI Toolkit feature within WebInspect to be "very beneficial." The SPI ToolKit consists of productivity tools that allow users to test Web applications by engaging specific attempts at penetrating the Web application. The SPI ToolKit includes advanced tools for simplifying complex Web application security testing methods such as SQL injection, cookie analysis, and HTTP fuzzing. "There are some things that you don't want done automatically and the SPI ToolKit allows that flexibility, which is very nice to have," said Allen. In addition, Allen added that he was very impressed by the WebInspect security training given through SPI Dynamics' partner, SecurityPS, which gave invaluable insight into integrating and using the tool in his environment. "I was also very impressed by the overwhelming responsiveness of SPI Dynamics and their willingness to work with our procurement process."

The Future
The University of Missouri is taking significant strides in securing its online presence. In response to the mounting concern of online threats, the University of Missouri has implemented a "Safe Web" program to establish training on security throughout the development lifecycle for all its employees involved in the application development process. Allen comments, "There is considerable interest among other IT departments at the University to implement security tools such as WebInspect to help in the secure development of online applications. Our main focus is to have the right tools like WebInspect in place throughout our organization to maintain the flexibility of allowing users to have access to what they need to do their jobs, as well as keep them secure in doing so."

Facing the Challenges and Winning with WebInspectTM
A common concern in today's application development lifecycle is the deficiency of knowledge about building secure applications from the ground up. Applications historically were not developed with security in mind - by no fault of the developer or QA professional - but mainly because no one could envision that security would become the heightened issue it has become today. Comments Allen, "Our developers would develop a Web site unaware of the security requirements and potential ramifications if each application was not built securely. The Web applications would then be sent into production where, in-turn, the production team would require an audit. This cycle easily burned a month of time per person, per site."

development lifecycle. "The best part about WebInspect that I've found is its incredibly flexible reporting capabilities, which allow you to customize reports for various audiences within your organization. Generating reports is obviously a very important aspect of security management so you are able to track trends and potential issues. WebInspect provides the ability to generate an overview of that critical information in a format that is understandable by the audiences that need to be on top of what is going on," said Allen. "Our developers like the product as well. They love the reports that WebInspect generates, because they include the weaknesses and how to fix them. Something I could not do without significant research on a case by case basis."

115 Perimeter Center Place, Suite 1100, Atlanta, GA 30346 Tel: 678.781.4800 | Fax: 678.781.4850 | Email: info@spidynamics.com

Copyright ©2005, SPI Dynamics Incorporated. All Rights Reserved.