Introduction

Why bother learning about securing applications?

• Even applications that don't seem to need to bother with security
  should be written with security in mind, as they may be used in
  ways other than intended.

• Insecure applications can be a doorway into systems or databases, and
  the Black Hats are out there

• Black Hat Motivations:
  • It's fun

  • One compromised system leads to another

  • They want free stuff (ahh, credit card numbers)

• Legal Ramifications. Various laws require that certain UF data remain confidential:

  From the UF Secure Applications Development Guidelines:

  • UF is required by the Buckley Amendment and state statute to
    maintain the confidentiality of student records. For more
    information, refer to Student Records.

  • Units that deal with patient information will need to be aware
    of their responsibilities under the Health Insurance Portability
    and Accountability Act of 1996 (HIPAA).

  • Financial data is protected by the Gramm-Leech-Bliley Act (GLBA).
    For more requirements on applications that process financial data,
    refer to the UF E-Commerce Policy.

  • The UF Privacy Policy restricts the collection of personal data.

Consequences

• Media Attention ("you're -- *gulp* -- famous")

• Lawsuits

• General bad days

• Dogs and Cats living together, total chaos