Here’s an interesting story from Slashdot today about a college student being expelled after pointing out flaws in his college’s student information system.
What he’s seeing is no surprise. Starting with my days working for IBM’s EduQuest division, for the past 20 years or so I’ve seen numerous K-12 and higher education student information systems chock full of security flaws. Stupid, silly security flaws like SQL injection, cross-site request forgery, URL manipulation, no passwords – you name it…none of which should’ve been around 10 years ago, much less today. But they’re there.
Folks, if you work for a K-12 school, university, or you’re a parent curious about how your student’s information is being handled (and protected), start asking questions like:
Someone needs to be in charge of managing these risks.
Certain people at the school level will tell you that student information is secure because their auditor ran Nessus and everything checked out okay. Need I say more?
The student information system vendors will tell you their applications are secure because they have good programmers. Again, based on what I’ve seen, they’re most definitely not.
Even if the vendors delivered flawless code, there’s still integration and customization unique to each school that can introduce some ugly stuff that puts student information at risk.
Be wary and don’t be afraid to push the people responsible for making things right.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”