West Virginia University cuts risks by an average of 60 percent

IBM application security solutions help reduce vulnerabilities, address key compliance issues

Published on 30 Nov 2011

"After doing our research, we determined that IBM was a leader in the field of dynamic application scanning." - —Alex Jalso, assistant director, office of information security, WVU

Customer:
West Virginia University

Industry:
Education

Deployment country:
United States

Overview

West Virginia University (WVU) is a public research university in Morgantown, West Virginia. Founded in 1867 as a public, land-grant institution, today the university enrolls approximately 33,000 students at campuses throughout the state. The university offers 193 bachelor's, master's, doctoral and professional degree programs through its 15 colleges.

Business need:
WVU sought to provide developers across the university with a standard, centralized solution for scanning web applications for vulnerabilities.

Solution:
IBM® Security AppScan® Enterprise software enables WVU to perform concurrent scans and provide users with a web-based solution for identifying and fixing security issues.

Benefits:
WVU has performed increasing numbers of scans each year, but the number of vulnerabilities identified has decreased by an average of 60 percent, showing an improvement in web application quality.

Case Study

West Virginia University (WVU) is a public research university in Morgantown, West Virginia. Founded in 1867 as a public, land-grant institution, today the university enrolls approximately 33,000 students at campuses throughout the state. The university offers 193 bachelor's, master's, doctoral and professional degree programs through its 15 colleges.

Seeking to proactively improve web application security

The office of information security at WVU had launched an initiative to be more proactive about web application security. With IT operations organized in a decentralized manner throughout the campus, the office wanted to provide developers with a standard, centralized tool for scanning web applications for issues and vulnerabilities. Alex Jalso, assistant director, office of information security, WVU, spearheaded the search for such a tool. “After doing our research, we determined that IBM was a leader in the field of dynamic application scanning,” he says.

The university chose IBM® Security AppScan® Standard software, but then decided to upgrade to IBM Security AppScan Enterprise software. “We were able to increase the participation of the IT community in web application scanning. So we wanted to go to a multiuser web-based solution that enabled us to do concurrent scans and provide our customers with a web-based portal for accessing and sharing information on identified issues.”

Handling a variety of applications along with a variety of compliance issues

The Security AppScan Enterprise software is currently used by academic, administrative and research groups. Many applications developed by these groups must comply with regulations including the Family Educational Rights Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). Because these applications collect sensitive personal and financial information, web application security and integrity is a top priority for the university.

When the office of information security begins working with a new IT group, the group customer fills out a spreadsheet describing the application to be scanned, including any sensitive information contained in the application as well as any compliance issues. The office of information security also factors in how widely the application is used, such as by a single department or universitywide. The office then enters these variables into the Security AppScan Enterprise application and conducts the scan.

Once the scan is complete, the group receives a report that identifies issues that must be remediated before the application can proceed to production. “With Security AppScan Enterprise software, all the identified issues are separated and prioritized,” says Jalso. “The application even returns the location of issues within the code and gives suggestions on how to fix them.”

Increasing usage, decreasing issues

Since its implementation, adoption of the Security AppScan Enterprise application has increased each year. Jalso has been able to gain the buy-in of the many IT groups around the campus by emphasizing the importance of delivering high-quality and secure applications to production. Scanning web applications proactively helps reduce liability, says Jalso, because it’s easier to be proactive and identify potential issues before going to production than to be forced into a reactive mode if a site is compromised.

In 2009, the office scanned just two sites. In 2010, it scanned 52 sites. In 2011, it scanned 88 sites. While the number of sites scanned has increased, the number of issues identified has decreased by an average of 60 percent. Using Security AppScan software, says Jalso, people from different departments have begun working together and sharing information on common issues, leading to fewer issues in developed applications.

Security AppScan software helps improve the security and compliance of web applications throughout the software development lifecycle. It enables users to scan web applications to test for security issues. And it provides actionable reports and fix recommendations, leading to greater confidence in the applications in production. Security AppScan software is easy to use, which helps enhance developer and security team productivity and make it easier for teams to better protect the web application infrastructure. And because new vulnerabilities are being identified and exploited all the time, Security AppScan Enterprise software can also help identify, isolate and remediate an issue in the case of a site compromise.

Relying on IBM support

According to Jalso, fast, reliable support from IBM has helped increase value on the investment on the software. “I’ve been working for WVU for going on 19 years and I’ve seen good solutions and bad solutions. And Security AppScan Enterprise is one of the best products I have worked with in terms of quality, reliability, results and vendor support,” says Jalso.

For more information

To learn more about IBM Security AppScan software, contact your IBM sales representative or IBM Business Partner, or visit: ibm.com/software/awdtools/appscan.

Additionally, IBM Global Financing can help you acquire the IT solutions that your business needs in the most cost-effective and strategic way possible. We'll partner with credit qualified clients to customize an IT financing solution to suit your business goals, enable effective cash management, and improve your total cost of ownership. IBM Global Financing is your smartest choice to fund critical IT investments and propel your business forward. For more information, visit: ibm.com/financing

Components

IBM products and services that were used in this case study.

Software:
IBM Security AppScan Enterprise

Legal Information

© Copyright IBM Corporation 2011 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America December 2011 All Rights Reserved IBM, the IBM logo, ibm.com, and AppScan are trademarks of International Business Machines Corporation in the United States, other countries or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The information contained in this documentation is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this documentation, it is provided “as is” without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this documentation or any other documentation. Nothing contained in this documentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software. This case study illustrates how one IBM customer uses IBM products. There is no guarantee of comparable results. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. RAC14226-USEN-00

Showcase your unique capabilities