Do vulnerability-assessment on software before you buy it.
That’s the philosophy adopted at West Virginia University (WVU), which increasingly is asking software vendors to agree to submit their products to a vulnerability-assessment examination before it’s purchased. “It’s part of the contract process,” says Alex Jalso, assistant director of information security at WVU, which uses the IBM AppScan Enterprise software vulnerability-assessment tool to analyze and remediate code vulnerabilities and weaknesses.
Jalso says the analysis process lets the school look deeper into code, which is the intellectual property of the vendor, and for its part the school agrees to work under non-disclosure about any issues that arise. The university hasn’t yet gotten all its software vendors on board, but it’s headed in that direction. And AppScan is also used by the university to analyze any security weaknesses in the in-house developed Web applications before they go into production. Why is this important? Jalso says it’s about being pro-active in identifying software weaknesses that might otherwise become a route for attack by hackers and malware.
There are a lot of legal issues to consider, too, such as not violating data-protection guidelines related to HIPAA, FERPA and PCI rules. The basic idea is it’s not too much to ask for someone to prove their software can pass a vulnerability test — if fact, pass it not once, but again and again as the code base changes, Jalso says.
Change vendors – not your expectations
Ross Elliott is manager of network operations at Brick Township Public Schools in New Jersey, a district with 12 schools and 10,000 students. The IT department for the school district provides wired and wireless access for students and faculty. But earlier this year, the more open portion of the wireless network showed signs of strain with so many students using it for Internet access. As a side effect, the Astaro firewall and the Comcast service “were not playing together well,” says Elliott, who thinks the firewall’s proxy-based setup was likely a factor but “we were upset at the support we were receiving.”
Network availability was getting shakier and it was on his birthday in June, when the wireless network was limping along at its dismal worst and “in the IT department, we were getting bombarded with phone calls.” The school system was able to sort out the network issues over the summer, upgrading speed and switching to a SonicWall firewall. Elliott says more changes may be needed to the nature of network access at the school to meet the demands of mobile devices.
Fix it frugally
Like many school systems in the country today, teachers are doing more routine procedures online rather than with paper, and that’s the case at Belchertown School District in Massachusetts which consists of five schools. There, teachers and students go online to get class material and log attendance, among other things. An application called PowerSchool the school district began using is configured with Cisco UCS running VMware virtual-desktop VMware View connected to data stores residing on NetApp FAS2020 storage. But according to Scott Karen, the school district’s director of technology, it became apparent last year year that there were excessive latency issues with the desktop virtual-machine setup when many students tried to log on and use the system at the same time. In addition, teachers in their classrooms all taking attendance at the same time found the system not only slow but leading to file errors.
The lack of caching in the older NetApp FAS 2020 was a problem, Karen says, but he adds that going to a bigger and newer NetApp was not appealing from the school district’s budgetary standpoint. However, as a regular attendee at the local VMware user group meetings, where problems are shared and yes, vendors show up to pitch their wares, Karen found what he says was an economical fix for the school district’s VM boot storm problems. And that was adding the Avere FXT Series two-node cluster to optimize the read/write capabilities of the system. It was up and going quickly, brought latency to a tolerable point, and it all was a lesson learned about desktop virtualization.