Web policy benchmark

Do (for larger organisations especially) you have any sort of security policy/benchmark for any appliactions that you host on your web servers which were developed by either internal web dev guys or external parties? Say for example 3rd parties develop some apps on your behalf, but the data is yours, ie on your private servers, do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers? If so what is the name of this policy? And what does it cover?

Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?
LVL 3
pma111Asked:
Who is Participating?
 
ahoffmannCommented:
> ... do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers ...

I'd remove the "3rd party" in this question as all apps need to have the same security level
the difference between 3rd party and internal dev guys is just a legal one

according policies, a minimum requirement would be
  https://www.owasp.org/index.php/Top_10_2010  OWASP Top 10
  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  http://cwe.mitre.org/top25/  CWE/SANS Top 25

this requirement could be part of a contract with 3rd party developers
0
 
pma111Author Commented:
So the developers would prove compliance that their code address, for example the owasp top 10. Is a self assessment ok? Or do they need to prove an independant body came in and checked their app against owasp top 10.
0
 
ahoffmannCommented:
> Is a self assessment ok?
if you trust in such an assessment ...
when security counts a (simple) assessment is not sufficient, you better do source code analysis (SCA) or at least a penetration test, IMHO
you  need to find a balance between the risk you expect and want to mitigate and the costs for the audits, pentests
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
pma111Author Commented:
Understood. Are there any architecture issues with an installation of a "web app". I.e. we focus on the application code itself, but are there any considerations needed for the architecture that supports their application, if so could you provide what assurances youd want from the app owners on architecture? And how that may impact your environment?
0
 
ahoffmannCommented:
hmm, this sounds like the "how goes the world around" question
there is no general answer to it as it depends on to many factors (OS, language, framework, network, cluster, cloud, ISP, database, threat, risk, knowledge, etc. etc.)
I'd use my favorite search engine and throw in whatever I fell is important :-)
0
 
btanExec ConsultantCommented:
can also considered Web Application security consortium which is well recognised for their criteria in defining evaluation criteria for security testing tools like web scanner and application firewall. These are essentially assets which evaluator has to be equipped and organisation deployed to protect web appl (with current evolved web threats).

understand that policy is rather high level but it should standby close to best recommendation from the vendor as well and layered with more specific security needs by the organisation. e.g. defining the roles and responsibility and access control matrix for each role. For technology lockdown, a checklist from vendor or community helped in setting the baseline closing the low hanging fruits.

http://www.webappsec.org/
http://pajhome.org.uk/security/webchecks.html
http://www.cgisecurity.com/2010/01/wasc-threat-classification-to-owasp-top-ten-rc1-mapping.html

this also include considerations from open standards such as SAML (identity federated), WS-Security for web services, to keep policy open - in other words, avoid tagging to proprietary std else it is not scalable (interoperability issue) and too restrictive for technology to comply and support the requirements.

two cents...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.