Skip to end of metadata
Go to start of metadata

10-11:30, CG1-3150-Boardroom


Agenda:

Intro

Presentation/Discussion:  Susan Ramsey will speak about general web security and tips and what is being used to test our websites.  Be prepared to discuss what you are using to test your sites and ideas/solutions you might have.

Discussion of happenings at DrupalCon by WAG member attendees

Quick update on work on umbrella sites from David and Stephen

Quick update on web news from Helen Moshak


Attendees:

Carter Borst, Sara Byrd, Sharon Clark, Stephen Geinosky, Terri Hamner, Ryan Johnson, Don Kolinski, Helen Moshak, Dennis Ogg, Susan Ramsey, David Vance, Nate Wilhelmi, Lara Ziady


Notes:

Presentation/Discussion:  Susan Ramsey will speak about general web security and tips and what is being used to test our websites.  Be prepared to discuss what you are using to test your sites and ideas/solutions you might have.

In a distributed environment, individuals have to make risk decisions.  
Trade off between: freedom vs security

In 2015, UCAR PC adopted FISMA for security best practices.

Bulk of security here was done by the division's sys admins.  Fed Govt agency funding requires FISMA. 

FISMA stands for Federal Information Security Modernization Act: keep risks at or below specified levels, annual analysis of info sec and privacy.  Contractors must also do this.  NSF doesn't require FISMA, but some federal agency funding do.  Generally aim for FISMA Low, but some contracts have more requirements.  Org is looking into how to centralize some of the efforts to take some load off of labs.

NIST Risk Mgmt Framework. - lifecycle mgmt with security baked in.  

goals: you know yourself, your data, what you're doing with your data.

Steps
1: categorize data and IPs
2: select security controls - SSP - systems security plan, there is a list of NIST recommended controls - but you can assemble various controls you choose for your customized plan.  Baseline: preconfigured subset of security controls.
3: Implement security controls.  Implement your system with the controls in it as you are creating it.  Don't wait until the end.
4: Assess security controls - informal or formal. If have external requirements/FISMA Moderate, you need an external assessment to verify that you are adhering.  If FISMA low, can determine how you want to do assessment.
5: authorize system - authorizing official must own and accept the risk.  POA&Ms: Can make a plan to fix known glitches.  Can lose contracts if don't.
6: Monitor security control - continuous testing/remediation, patches, monitor systems, etc.  Following plan.  Fixing POA&Ms.

FISMA is a law, RMF is a framework.
Adopting standard practices and platforms, enable us to automate processes.  

Also required to do security testing during code development.  How is up to us, but have to have a plan.

Inheritance vs local

As developers
we typically inherit the hardware or operating system, DNS, 2 factor auth, network, physical security in data centers, physical building safety and disaster mitigation controls (fire suppression, etc).

Published our Strategic Security Plan and we've promised NSF we're doing it.

Who does all this:  Now, everyone because we are decentralized.  Web devs/admins must do: patches, pen testing, config mgmt, keeping on top of current attacks, etc.

CPO - cybersecurity program office.
staffed out of CISL
Chartered to help org reach FISMA Low

Current projects include instating some central shared services - improving logging, network security monitoring, etc.  Increase capacity to detect and investigate anomalies. 

As web devs document their SDLC and security testing methods, CPO will document that as common controls.

---Round table discussion about what security testing developers are doing.  

For auto tests - if do penetration testing - need a team ready to tackle it
False positives can be an issue unless someone is well-versed with the code to understand what is important to address or not.  This makes centralized testing in a decentralized environment difficult.

Low hanging fruit - auto process to check if your packages are out of date.

Automating can help but we need to figure out what to automate at a level that is useful and ensure the right people get the information who can fix it.

CPO should have a consistent notification template.  Possible to then run a script to check what has already been patched and only notify owners that haven't.  Issue is that there is not a master list of what software is being run throughout the organization.  

Need to do more than just have a tool, but need to also have a remediation plan. 
Fix top five critical issues, etc.  
Also understand what we can fix, vs what we have to run because had funding to create it but have no funding to maintain and update long-term. 

Need to be careful for site scanning when move to the cloud because will be charged by pageview - so don't want to be charged for massive automated scans.  

Think about what SDLCs and security testing would work with your groups' workflows.


2017 Strategic Security Plan. In particular, check out pages 77-81. 

https://drive.google.com/a/ucar.edu/file/d/1kWDYmSTYIv8kboKGKbD58IKI_3kjm1g9/view?usp=sharing

Presentation files: Susan Ramsay Presentation re: Web Security


Discussion of happenings at DrupalCon by WAG member attendees

Lara - most of the presentations should be online from DrupalCon.
Recommended presentations: Tues - Drupal 8 Migrations by example - github files for practice migrations
Material Admin module: UX - easier for content managers, based off of Google standards
Top modules

David - two major initiatives announced
1: out of the box experience - right out of the box after setting it up it's ready to use and great
2: API first - headless Drupal, decoupled Drupal - just as a data store - get Drupal's workflows, entity types, auth, etc,  then use frontend framework to make the UI like React or Vue - benefit - multiple front ends - mobile vs web, digital signage, etc - front ends just use the APIs. Faster rendering.

Lots of big companies using Drupal extensively.  Estee Lauder, U of Colorado.  1000s of sites. Many people on Pantheon.  Automation, continuous integration, testing, etc.

Web accessibility - pretty major topic. Need to have org-wide buy-in to be successful.  From developers to content creators - video captions, accessible pdfs, how to make visualizations accessible?  Companies are getting sued, even if they aren't govt agencies that must adhere to accessibility guidelines.

Quick update on work on umbrella sites from David and Stephen

New theme has made a lot of steps towards 508 and ADA accessibility requirements.
Chrome lighthouse - to inspect your site for low-hanging fruit issues. 

https://developers.google.com/web/tools/lighthouse/
https://chrome.google.com/webstore/detail/lighthouse/blipmdconlkpinefehnmjammfjpmpbjk?hl=en


Foundation framework and Drupal 8 has some stuff out of the box.
Talk to Stephen if you would like to get started on checking your sites.

Quick update on web news from Helen Moshak

Working on statement of work for working with consultants for assessment for web shared services.  Will keep us posted.  Will go out in RFP.  Assessment will be metrics we provide as an institution and meetings with stakeholders.  Recommendations around shared services model.


  • No labels