Web Application Security

1. Web Application Security UTO Information Security Office Aug 25, 2010 Rev 1

2. Overall recommendations • Under the direction of the Information Security Office: • Resolve lack of secure socket layer logins and missing digital security certificates on asu.edu academic and administrative sites • Secure them AND move to centralized digital certificates managed by UTO • Clean up old sites • Identify owners of remaining sites • All Departments to increase management of their web presence on the asu.edu domain

3. Websites on asu.edu ASU.EDU Balance academic freedom with volume control for new sites Purge obsolete sites Scan for security risks Continue to improve inventory list OWNER identification is critical

4. Lack of Secure Socket Layer Login • There are a number of sites on asu.edu with login pages that lack a secure socket layer and/or valid digital certificate. • We have identified owners or email contacts for these sites, and will be working with said owners to secure the logins. • 70% are Academic web pages (College Departments, Faculty, Students) • 25% are Administrative dept web sites/pages. • 2.5% are Services intended for the general public • 2.5% redirect to external sites • TAG members assisting departments

5. Non-SSL Websites • The Departments or Colleges that own the sites: