Description: Tracking Information Security and Privacy Issues in Educational Technology
In an earlier post I discussed why we need security standards for education-related web apps. Today we really don’t have any. Student privacy legislation typically requires “reasonable” security. (This is due in part to the fact that legislation moves at a slower pace than technology and today’s requirements might not outlast the legislative cycle.) Industry-driven student privacy standards also tend to speak of “reasonable” security with few specifics. TRUST-e’s definition of kids privacy does not requi
Securing web applications takes effort, and attack methods grow more sophisticated all the time. But the blueprint for providing a baseline of strong security is well defined. The OWASP ASVS spells out a comprehensive list of requirements for designing and verifying a secure web application and defines different levels of verification. A security standard appropriate for apps collecting students’ personal information and academic activities should incorporate most of the requirements from the ASVS ‘Stand
To perform the tests in this plan, no special access is needed beyond an account with the service, and no special equipment is needed beyond a computer and some free software programs. Every item on the test presents some level of security risk. Many of them are minor but as a whole they paint a picture that’s often more important than the individual weaknesses cataloged in the test. Having said that, if every education-related web app met this test standard, it would be a big leap forward from where we