Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Web policy benchmark

Posted on 2012-04-12
6
Medium Priority
?
539 Views
Last Modified: 2012-06-27
Do (for larger organisations especially) you have any sort of security policy/benchmark for any appliactions that you host on your web servers which were developed by either internal web dev guys or external parties? Say for example 3rd parties develop some apps on your behalf, but the data is yours, ie on your private servers, do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers? If so what is the name of this policy? And what does it cover?

Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?
0
Comment
Question by:pma111
  • 3
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 37841282
> ... do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers ...

I'd remove the "3rd party" in this question as all apps need to have the same security level
the difference between 3rd party and internal dev guys is just a legal one

according policies, a minimum requirement would be
  https://www.owasp.org/index.php/Top_10_2010  OWASP Top 10
  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  http://cwe.mitre.org/top25/  CWE/SANS Top 25

this requirement could be part of a contract with 3rd party developers
0
 
LVL 3

Author Comment

by:pma111
ID: 37841423
So the developers would prove compliance that their code address, for example the owasp top 10. Is a self assessment ok? Or do they need to prove an independant body came in and checked their app against owasp top 10.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37841537
> Is a self assessment ok?
if you trust in such an assessment ...
when security counts a (simple) assessment is not sufficient, you better do source code analysis (SCA) or at least a penetration test, IMHO
you  need to find a balance between the risk you expect and want to mitigate and the costs for the audits, pentests
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 3

Author Comment

by:pma111
ID: 37842087
Understood. Are there any architecture issues with an installation of a "web app". I.e. we focus on the application code itself, but are there any considerations needed for the architecture that supports their application, if so could you provide what assurances youd want from the app owners on architecture? And how that may impact your environment?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37842160
hmm, this sounds like the "how goes the world around" question
there is no general answer to it as it depends on to many factors (OS, language, framework, network, cluster, cloud, ISP, database, threat, risk, knowledge, etc. etc.)
I'd use my favorite search engine and throw in whatever I fell is important :-)
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 37842687
can also considered Web Application security consortium which is well recognised for their criteria in defining evaluation criteria for security testing tools like web scanner and application firewall. These are essentially assets which evaluator has to be equipped and organisation deployed to protect web appl (with current evolved web threats).

understand that policy is rather high level but it should standby close to best recommendation from the vendor as well and layered with more specific security needs by the organisation. e.g. defining the roles and responsibility and access control matrix for each role. For technology lockdown, a checklist from vendor or community helped in setting the baseline closing the low hanging fruits.

http://www.webappsec.org/
http://pajhome.org.uk/security/webchecks.html
http://www.cgisecurity.com/2010/01/wasc-threat-classification-to-owasp-top-ten-rc1-mapping.html

this also include considerations from open standards such as SAML (identity federated), WS-Security for web services, to keep policy open - in other words, avoid tagging to proprietary std else it is not scalable (interoperability issue) and too restrictive for technology to comply and support the requirements.

two cents...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question