In an earlier post I discussed why we need security standards for education-related web apps. Today we really don’t have any. Student privacy legislation typically requires “reasonable” security. (This is due in part to the fact that legislation moves at a slower pace than technology and today’s requirements might not outlast the legislative cycle.) Industry-driven student privacy standards also tend to speak of “reasonable” security with few specifics. TRUST-e’s definition of kids privacy does not require protection of students’ personal information and academic activity, just their credit cards and SSNs. Nobody has really specified what reasonable security means. In this post I’ll share a starting point, based on the OWASP Application Security Verification Standard (ASVS) and my own observations of web app security problems.
Securing web applications takes effort, and attack methods grow more sophisticated all the time. But the blueprint for providing a baseline of strong security is well defined. The OWASP ASVS spells out a comprehensive list of requirements for designing and verifying a secure web application and defines different levels of verification. A security standard appropriate for apps collecting students’ personal information and academic activities should incorporate most of the requirements from the ASVS ‘Standard’ level of verification. Many requirements for the Standard level of verification require access to the inner workings of a web service’s operations. The test plan I’m presenting here focuses on the ‘Opportunistic’ level of verification that can be observed by end-users of the web application. My outlook is that the rigor of the practices we *can* observe is an indicator of the practices we *can’t* observe as end users. So by assessing the health of a service against the observable security practices we can create a yardstick to compare sites and make decisions about whether to use them.
To perform the tests in this plan, no special access is needed beyond an account with the service, and no special equipment is needed beyond a computer and some free software programs. Every item on the test presents some level of security risk. Many of them are minor but as a whole they paint a picture that’s often more important than the individual weaknesses cataloged in the test. Having said that, if every education-related web app met this test standard, it would be a big leap forward from where we are today.
It’s my hope that this test plan might be adopted by parents, administrators and teachers as a yardstick or minimum set of requirements for apps that collect our children’s and students’ information. It’s embedded below for viewing and downloading.
Web-App-Security-Test-Form-Feb15 (downloadable PDF)