You can't secure what you don't acknowledge.SM

Monday, January 21, 2013

Student information systems rife with security flaws

Here's an interesting story from Slashdot today about a college student being expelled after pointing out flaws in his college's student information system.

What he's seeing is no surprise. Starting with my days working for IBM's EduQuest division, for the past 20 years or so I've seen numerous K-12 and higher education student information systems chock full of security flaws. Stupid, silly security flaws like SQL injection, cross-site request forgery, URL manipulation, no passwords - you name it...none of which should've been around 10 years ago, much less today. But they're there.

Folks, if you work for a K-12 school, university, or you're a parent curious about how your student's information is being handled (and protected), start asking questions like:
  • When was the last time this application was tested for security flaws? (their vendor's SSAE 16 report won't cut it)
  • What was done about the flaws that have been discovered up to this point? (even when flaws are found, many people still have political, financial, and time management hurdles that get in the way of improvements)
Someone needs to be in charge of managing these risks.

Certain people at the school level will tell you that student information is secure because their auditor ran Nessus and everything checked out okay. Need I say more?

The student information system vendors will tell you their applications are secure because they have good programmers. Again, based on what I've seen, they're most definitely not.

Even if the vendors delivered flawless code, there's still integration and customization unique to each school that can introduce some ugly stuff that puts student information at risk.

Be wary and don't be afraid to push the people responsible for making things right.