Like all universities, West Virginia University (WVU) collects and stores a great deal of sensitive financial, health-related, and other personal data about its 33,000 students and staff. A growing number of security and privacy regulations require that such data be protected. With that in mind, a few years ago, the university, which develops many Internet-facing applications in-house, in addition to those it purchases from outside parties, decided to strengthen its application security, says Alex Jalso, assistant director in the university’s office of information security.
The university looked at several Web application scanning solutions, he says. Based partly on reviews by security analysts and others, as well as by experience trying the solutions, Jalso eventually selected IBM Rational AppScan Enterprise Edition software. In addition to the software’s strong reputation and ease of use, Jalso says he particularly liked the way the solution would let the university have a central, Web-based interface that would help it conduct multiple, customized, and sometimes concurrent Web application security scans. Rational AppScan would also help the university’s many IT and security managers and staff share information on vulnerabilities and threats.
Jalso says it took about six months to get up and running with the tool across the university’s numerous IT departments. Rolling out the tool required educating IT managers and staff, which was accomplished with the assistance of IBM account representatives and support staff. It has been fairly simple to learn and use, Jalso says.
Part of introducing the solution included convincing other managers of its potential value. Jalso explained to other IT and security managers how the tool could scan applications before they were put into use. Not only would this “more proactive” approach be a lot more secure but it would also save the staff considerable time when compared to the previous approach of responding to incidents after they occurred.
When the IT office begins working with a new group now, the group provides information on the appplication to be scanned including sensitive data and any compliance issues. The IT department enters such information into the AppScan Enterprise before conducting a scan.
The university also uses the tool to conduct scans over the life of the application. That has led the school to significantly increase the number of security scans it conducts. In 2009, it conducted just two security scans, compared to 52 in 2010 and 90 last year.