Information Security Primer for Evaluating Educational Software

The Information Security Primer for Evaluating Educational Software is a toolkit for people looking to learn more about evaluating the information security practices of educational software. While the primary audience for this document is people interested in running information security tests, our secondary audience includes people who will not be running tests but who want to learn more about what "information security" means.

As the title states, this document is a primer, not a comprehensive guide. We intend for this document to grow and evolve over time. Future versions will include more advanced testing scenarios, but for the initial version, we wanted to provide resources to allow people to learn how to do security reviews safely.

This guide was developed as part of the Common Sense District Privacy Evaluation Initiative. If you work at a school district and would like to join the consortium of districts working in the United States to help streamline the process of evaluating privacy policies for edtech apps, you can learn more and sign up here.

Contents

• A. Introduction: Who Should Read This
• B. Responsible Disclosure
• C. Setting Up the Testing Toolkit
  • C1 The Toolkit: A Summary
  • C2 Installing and Using Firebug to Observe HTTP and HTTPS Traffic
  • C3 Installing and Using an Advanced Cookie Manager
  • C4 Installing and Using ZAP Proxy to Observe HTTP and HTTPS Traffic
    • C4.1 Installation and Initial Setup of OWASP ZAP
    • C4.2 Basic Setup, Browser and Proxy on Same Computer
    • C4.3 Setup for Testing Mobile Devices and/or Web Browsers on a Different Computer from the Proxy
    • C4.4 Installing Proxy SSL Certificate on Browser and Mobile Devices
    • C4.5 Observing WebSockets Traffic Using ZAP Proxy
• D. Preparing Firefox for Testing
  • D1 Set Firefox Home Page
  • D2 Clear History
  • D3 Verify That Cookies Are Allowed and Do Not Track Is Off
• E. Testing Scenarios and Procedures
  • E1 Sensitive Information in URLs
  • E2 Encryption and Transport Layer Security
  • E3 TLS for Email Sent by an Application to Users
  • E4 Caching and History Storage of Pages with Sensitive Information
  • E5 Authentication Token and Cookie Handling
  • E6 Password Handling
  • E7 Username Enumeration
  • E8 Observation of WebSockets Traffic
  • E9 Information Leakage
  • E10 API Authentication Checks
  • E11 Mobile Application Testing
• F. Glossary

Author Credits

Tony Porterfield, Jim Siegl, and Bill Fitzgerald are the primary authors of this text.

Girard Kelly, Jeff Graham, Jenny Pritchett, and Omar Khan provided editing support and testing.

Contact Information

Please contact Bill Fitzgerald ([email protected]) with any questions or comments on this primer.

We will also respond -- as time permits -- to issues in the issue queue.

Get Involved

We will be modifying this document over time to keep the tests current and to add tests. If you would like to contribute, please open an issue in the queue and/or make a pull request.

Licensing

This is released under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: https://creativecommons.org/licenses/by-nc-sa/4.0/

Visit the Licensing and Attribution page for complete details.