In Chapter 2, we explored threat modeling. We learned that it’s vital to communicate what we are building so that we can understand the security threats we face. We asked ourselves four basic questions, ranging from “What are we working on?” to “Did we do a good job?”

Recall in Chapter 1, we touched on regulatory frameworks and how particular jurisdictions implement statutory security requirements.

In this chapter, we explore the work being carried out by both non-governmental/non-profit and governmental organizations to support our work as Moodle security advisors. We focus on US-based organizations, but the recommendations and benchmarks they promote have a worldwide application. Following the recommendations of these organizations will not only ensure the security of the Mathaholics platform but also quality and consistency. Consistency means increasing our productivity too – making it easier to find the...

There are no technical requirements for this chapter.

The OWASP is a non-profit online community focusing on web application security. Every two or three years, OWASP produces its “top ten” awareness document for application developers. Therefore, your focus while reading this section should be on Moodle and any other associated applications you may be intending to deploy, such as BigBlueButton. The OWASP provides tools, resources, and training, as well as an opportunity to become engaged in an active community of technologists specializing in web application security. For more details on the OWASP and its work, visit https://owasp.org/.

There are a number of OWASP projects that apply to the development of the Mathaholics platform, including the following:

• Software bill of materials – It is important to know which third-party libraries your environment is using because if a vulnerability were to be identified in any of them, it would need to be addressed...

The CIS is a community-driven non-profit organization that was set up in the US in the year 2000 by representatives from both business and government. The organization was founded to address what was, at that time, the growing threat from cyberattacks. Possibly, the most well-known attacker from this time is Michael Calce, also known as MafiaBoy. He unleashed a series of DDoS attacks against the leading commercial websites of the time (some of which are still with us today, for example, eBay and Amazon), as well as attempting (but failing) to attack a number of DNS root name servers. Some have estimated the damage he caused to businesses cost somewhere in the order of 1 billion US dollars.

The CIS remit is broader than that of the OWASP. Where the OWASP focuses on web application security, the focus of the CIS takes in organizational practices and procedures, which the CIS refers to as actions. Not only do CIS recommendations include...

As mentioned in Chapter 1, United States federal responsibility for cybersecurity – and data protection in particular – is, in some ways, fragmented between different agencies and the different states. This said, the National Institute for Standards and Technology (NIST) is leading the development of cybersecurity frameworks for different critical infrastructure sectors. This work stems from an Executive Order issued in 2013 that directed NIST to work with agencies and organizations to develop a (voluntary) cybersecurity framework, the aim of which is to reduce risks to critical infrastructure. NIST was directed to undertake this work because cyber threats pose a risk not just to national security but also to economic security.

In this section, we investigate the NIST Cybersecurity Framework and how we can apply it to the Mathaholics Moodle project.

The NIST Cybersecurity Framework – overview

NIST is part of the U.S. Department...

So far, we have been exploring frameworks, controls, and benchmarks developed to ensure applications, services, systems, and processes are defended against cyber threats. How can we bring these different approaches together into a coherent whole? One answer is the CIA triad, where the CIA isn’t the U.S. Central Intelligence Agency but an acronym that can be used to guide the development of policies and procedures to protect data. The letters of the triad stand for the following:

• Confidentiality – Only authorized users have access to specific data. Moodle is a roles-based system. Moodle users can have different roles (even multiple roles) in different contexts. But this same logic must also apply to other areas of our system. For example, the web service should only have access to the files and directories it needs for normal operation. This is called the principle of least privilege and will...

In the previous chapter, we learned how threat modeling is used to identify security threats in the Moodle environment as it is being designed. Building on this knowledge, in this chapter, we learned how security frameworks will be used to capture and manage cybersecurity threats, not only in the application but also in the wider organization.

The OWASP is actively gathering data on current and emerging threats. As you have seen, we can use the resulting Top 10 Web Application Security Risks to ensure we are guarding our Moodle application against these threats. The OWASP Top 10 will be particularly important if you are developing your own Moodle plugins.

Moving from the application to the server and its supporting technologies, we then explored how the CIS Critical Security Controls and CIS Benchmarks provide the guidelines for configuring our Moodle environment to be protected against cyber threats.

Finally, bringing all this together is the NIST Cybersecurity Framework...