Like all universities, West Virginia University (WVU) collects and stores a great deal of sensitive financial, health-related, and other personal data about its 33,000 students and staff. A growing number of security and privacy regulations require that such data be protected. With that in mind, a few years ago, the university, which develops many Internet-facing applications in-house, in addition to those it purchases from outside parties, decided to strengthen its application security, says Alex Jalso, assistant director in the university’s office of information security.
The university looked at several Web application scanning solutions, he says. Based partly on reviews by security analysts and others, as well as by experience trying the solutions, Jalso eventually selected IBM Rational AppScan Enterprise Edition software. In addition to the software’s strong reputation and ease of use, Jalso says he particularly liked the way the solution would let the university have a central, Web-based interface that would help it conduct multiple, customized, and sometimes concurrent Web application security scans. Rational AppScan would also help the university’s many IT and security managers and staff share information on vulnerabilities and threats.
Jalso says it took about six months to get up and running with the tool across the university’s numerous IT departments. Rolling out the tool required educating IT managers and staff, which was accomplished with the assistance of IBM account representatives and support staff. It has been fairly simple to learn and use, Jalso says.
Part of introducing the solution included convincing other managers of its potential value. Jalso explained to other IT and security managers how the tool could scan applications before they were put into use. Not only would this “more proactive” approach be a lot more secure but it would also save the staff considerable time when compared to the previous approach of responding to incidents after they occurred.
When the IT office begins working with a new group now, the group provides information on the appplication to be scanned including sensitive data and any compliance issues. The IT department enters such information into the AppScan Enterprise before conducting a scan.
The university also uses the tool to conduct scans over the life of the application. That has led the school to significantly increase the number of security scans it conducts. In 2009, it conducted just two security scans, compared to 52 in 2010 and 90 last year.
The increase in scans helped the university to identify and analyze what some of the largest security risks have been and to see risk trends. It has used that information to build security into the development of applications and to remedy vulnerabilities in a more efficient manner. As a result of these efforts, the number of vulnerabilities found by scans in 2011 dropped by more than 60 percent compared to 2010, Jalso says.
Another benefit of the solution has been the centralized reporting feature. This function has helped different departments and IT managers share information on vulnerabilities through a Web-based interface, he says. The university has also appreciated being able to create customized reports to show to auditors examining whether the university is following certain regulations and mandates. The reports can be set to prioritize issues by their level of security; the system can also provide suggestions about how certain code or other application weaknesses can be remedied.
Using this product has been fairly intuitive, Jalso says, and it has also been reliable. He gives high marks to IBM’s customer service. “IBM’s one of the best vendors I’ve ever worked with.” While there have been no problems that they needed to address, he says that IBM has helped the university learn all of the capabilities of the software so that staff can get the most out of it.