Pau Lo
asked on
Web policy benchmark
Do (for larger organisations especially) you have any sort of security policy/benchmark for any appliactions that you host on your web servers which were developed by either internal web dev guys or external parties? Say for example 3rd parties develop some apps on your behalf, but the data is yours, ie on your private servers, do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers? If so what is the name of this policy? And what does it cover?
Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?
Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> Is a self assessment ok?
if you trust in such an assessment ...
when security counts a (simple) assessment is not sufficient, you better do source code analysis (SCA) or at least a penetration test, IMHO
you need to find a balance between the risk you expect and want to mitigate and the costs for the audits, pentests
if you trust in such an assessment ...
when security counts a (simple) assessment is not sufficient, you better do source code analysis (SCA) or at least a penetration test, IMHO
you need to find a balance between the risk you expect and want to mitigate and the costs for the audits, pentests
ASKER
Understood. Are there any architecture issues with an installation of a "web app". I.e. we focus on the application code itself, but are there any considerations needed for the architecture that supports their application, if so could you provide what assurances youd want from the app owners on architecture? And how that may impact your environment?
hmm, this sounds like the "how goes the world around" question
there is no general answer to it as it depends on to many factors (OS, language, framework, network, cluster, cloud, ISP, database, threat, risk, knowledge, etc. etc.)
I'd use my favorite search engine and throw in whatever I fell is important :-)
there is no general answer to it as it depends on to many factors (OS, language, framework, network, cluster, cloud, ISP, database, threat, risk, knowledge, etc. etc.)
I'd use my favorite search engine and throw in whatever I fell is important :-)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER