■Information Security to
develop and publish criteria for sensitive web-based applications, work
toidentify them on campus and manually audit
for common errors.
■Security & Privacy
Impact Assessment will mandate risk assessments for applications providing
private personal information
scanners can detect sophisticated attacks like cross-site scripting, SQL
injection, but to date have not been effective at finding some of the simplest
and most common errors that application developers make.Continue to evaluate these tools.
■Establish a one hour class covering some of the most common
security errors in web-based applications.
Proposal Subject to Approval
Following a peer's problem with SSN authentication, we found
two similar problems at Penn.In 2003,
we had reports from end users of two sensitive web applications giving any user
access to anyone else's data.