1 of 18

U-M IT Security Standards Information Session

Secure Coding and Application Security (DS-18)

Rick Getchell

Information Assurance

2 of 18

Reminders

  • We are taking a phased approach to implementation of the standards.�
  • Standards, by design, are easier to revise and update than policies in the U-M Standard Practice Guide.�
  • We recognize there is rarely 100% compliance at an environment as large, complex, and ever-changing as U-M; incremental improvement in our security posture is still improvement.�
  • Michigan Medicine’s interpretation of and/or approach to this standard may differ slightly. Please inquire within your organization or contact IA-MM-PolicyAlign-Project@med.umich.edu.

3 of 18

Fresh Start

  • Application Security: a newer focus area for U-M’s Information Assurance program

  • Lots of coding going on at U-M
    • ~650 staff across U-M with titles of developer, programmer,� or software engineer

  • Higher education is a target

4 of 18

Higher Education is a Target

  • Georgia Tech breach announced April 2, 2019
    • Exposed personal information of up to 1.3 million individuals
    • Current & former faculty, students, staff, and student applicants
    • Cause: SQL injection in custom web app

5 of 18

Objectives

  • Reduce risk to sensitive institutional information

  • Prevent unauthorized access to administrative systems

  • Comply with legal and regulatory requirements

  • Ensure availability of critical assets and resources

6 of 18

Key Provisions

  • Applications developed/maintained and used by U-M
    • Web, cloud, and mobile applications, services, and APIs
    • In clinical, research, administration

  • Incorporate secure coding practices into each phase of the software development life cycle

  • Provide developers with resources for prioritizing security controls
    • Testing applications and fixing flaws takes effort
    • Related training is ongoing (you’re never done)

  • Applies to units, faculty, principal investigators, staff, and workforce members

7 of 18

Minimum Security Requirements

8 of 18

Example Requirements

  • Use Production, Staging, Test, and Development environments�
  • Use the latest available external or third-party components

  • Authenticate users through central AuthN/AuthZ systems

  • Use effective quality assurance techniques prior to go-live

9 of 18

IA Responsibilities

  • Ensure the standard is credible, implementable, enforceable
  • Coordinate and provide automated application security testing
  • Maintain guidance at Safe Computing

10 of 18

Your Responsibilities

  • Strive to write secure code, maintain and update your applications
  • Utilize application testing tools
    • U-M GitLab (coming to campus this year)
    • Others freely available (Sensitive University Data not permitted)
      • SWAMP, GitHub
  • Engage IA / IA-MM for application scanning
    • IA for Dynamic Application Security Scans (coming soon)
    • IA-MM for code reviews where ePHI is involved
  • Give IA feedback
    • Help us improve our Application Security offerings

11 of 18

FAQs

  • When will Web Application Security Scanning be offered to campus?
    • We’re beginning to meet with units now to pilot the offering. General availability is scheduled for later this year. We will prioritize applications that process sensitive data or that are mission critical.

  • If the Web Application Security Scanner finds vulnerabilities in my web application, will I be required to fix them?
    • Yes, you are expected to fix and update your applications
    • Vulnerabilities with CVSS scores of 7 or higher must be addressed according to the Vulnerability Management Standard (DS-21)
  • My unit has an application that we cannot update without breaking it. What can I do about its security vulnerabilities?
    • Ask IA for help with clarifying the risk and developing a plan to address the vulnerabilities.

12 of 18

FAQs

  • How can programmers in my unit find guidance and training resources for practicing secure coding?
    • The Safe Computing website has a page that lists several such resources available at no cost to U-M units.
    • IA will continue to offer secure coding classes and certification through Merit or other providers

  • Is there a Secure Coding Community of Practice at U-M?
    • Yes! “COP-DS-18-Secure Coding and App Security”
    • Join it on MCommunity

13 of 18

Key Takeaways

  • Applications developed/maintained and used by U-M must be secured by the respective developers/maintainers. Includes applications in research, clinical, and administration, etc.�
  • IA can help with guidance and automated testing.�
  • IA periodically coordinates secure coding classes and certifications.

  • We recognize there is rarely 100% compliance at an environment as large, complex, and ever-changing as U-M; focus on what you know about (especially unit-level in size).

  • Incremental improvement in our security posture is still improvement.

  • We are taking a phased approach to implementation of the standards.

14 of 18

Questions?

  • Online? Use BlueJeans “Q&A” button�
  • All questions (answered and unanswered) are being monitored for necessary follow up

15 of 18

Future Questions

�Please send any questions or concerns to:

rgetchel@umich.edu

16 of 18

Communities of Practice

  • One for each standard
  • Joinable MCommunity groups
  • Listed on Safe Computing

17 of 18

Next Session

  • Encryption and Network Security
  • 5/23/2019 - PM session
  • Palmer Commons (Auditorium)
  • Sign-up coming soon

18 of 18

Thank You!