Solved

Web policy benchmark

Posted on 2012-04-12
6
516 Views
Last Modified: 2012-06-27
Do (for larger organisations especially) you have any sort of security policy/benchmark for any appliactions that you host on your web servers which were developed by either internal web dev guys or external parties? Say for example 3rd parties develop some apps on your behalf, but the data is yours, ie on your private servers, do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers? If so what is the name of this policy? And what does it cover?

Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?
0
Comment
Question by:pma111
  • 3
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
Comment Utility
> ... do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers ...

I'd remove the "3rd party" in this question as all apps need to have the same security level
the difference between 3rd party and internal dev guys is just a legal one

according policies, a minimum requirement would be
  https://www.owasp.org/index.php/Top_10_2010  OWASP Top 10
  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  http://cwe.mitre.org/top25/  CWE/SANS Top 25

this requirement could be part of a contract with 3rd party developers
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
So the developers would prove compliance that their code address, for example the owasp top 10. Is a self assessment ok? Or do they need to prove an independant body came in and checked their app against owasp top 10.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> Is a self assessment ok?
if you trust in such an assessment ...
when security counts a (simple) assessment is not sufficient, you better do source code analysis (SCA) or at least a penetration test, IMHO
you  need to find a balance between the risk you expect and want to mitigate and the costs for the audits, pentests
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Author Comment

by:pma111
Comment Utility
Understood. Are there any architecture issues with an installation of a "web app". I.e. we focus on the application code itself, but are there any considerations needed for the architecture that supports their application, if so could you provide what assurances youd want from the app owners on architecture? And how that may impact your environment?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
hmm, this sounds like the "how goes the world around" question
there is no general answer to it as it depends on to many factors (OS, language, framework, network, cluster, cloud, ISP, database, threat, risk, knowledge, etc. etc.)
I'd use my favorite search engine and throw in whatever I fell is important :-)
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
Comment Utility
can also considered Web Application security consortium which is well recognised for their criteria in defining evaluation criteria for security testing tools like web scanner and application firewall. These are essentially assets which evaluator has to be equipped and organisation deployed to protect web appl (with current evolved web threats).

understand that policy is rather high level but it should standby close to best recommendation from the vendor as well and layered with more specific security needs by the organisation. e.g. defining the roles and responsibility and access control matrix for each role. For technology lockdown, a checklist from vendor or community helped in setting the baseline closing the low hanging fruits.

http://www.webappsec.org/
http://pajhome.org.uk/security/webchecks.html
http://www.cgisecurity.com/2010/01/wasc-threat-classification-to-owasp-top-ten-rc1-mapping.html

this also include considerations from open standards such as SAML (identity federated), WS-Security for web services, to keep policy open - in other words, avoid tagging to proprietary std else it is not scalable (interoperability issue) and too restrictive for technology to comply and support the requirements.

two cents...
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now