Security for Web Applications and Development
Wednesday, February 10, 2010
Presentation:Security for Web Applications and Development
Presenter: Kelley Bogart (Information Security Office)
Presentation (PDF format)
- UA Information Security Policy makes deans, department heads, etc. Ultimately responsible for IS.
- FERPA was recently expanded to include digital information.
- PCI (Payment Card Industry) rules for campus are being worked on daily.
- From :
- There will be a mandatory training for all web developers determined by Information Security Liaisons.
- There will also be a mandatory all-staff training in D2L.
- We have AppScan available for web app vulnerability scanning.
- Q: Is the training going to be high-level?
- A: Yes, i.e., will not describe how to fix vulnerabilities.
- Q: When do you anticipate getting to the deeper level?
- A: When we have the resources. ISO is only two people.
- Comment: What would really help is a way to focus on the most important vulnerabilities.
- A: OWASP is getting better at this.
- Q: Are you looking at any peer institutions who have a similar training program?
- A: Yes. ASU has some online. We are looking at others. OWASP is good for this.
- The Web Developers training will also be in D2L.
- Someday there may be one for sysadmins and IT managers.
- We only have 2 AppScan licenses -- a bottleneck.