Solved

Web policy benchmark

Posted on 2012-04-12
6
519 Views
Last Modified: 2012-06-27
Do (for larger organisations especially) you have any sort of security policy/benchmark for any appliactions that you host on your web servers which were developed by either internal web dev guys or external parties? Say for example 3rd parties develop some apps on your behalf, but the data is yours, ie on your private servers, do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers? If so what is the name of this policy? And what does it cover?

Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?
0
Comment
Question by:pma111
  • 3
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 37841282
> ... do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers ...

I'd remove the "3rd party" in this question as all apps need to have the same security level
the difference between 3rd party and internal dev guys is just a legal one

according policies, a minimum requirement would be
  https://www.owasp.org/index.php/Top_10_2010  OWASP Top 10
  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  http://cwe.mitre.org/top25/  CWE/SANS Top 25

this requirement could be part of a contract with 3rd party developers
0
 
LVL 3

Author Comment

by:pma111
ID: 37841423
So the developers would prove compliance that their code address, for example the owasp top 10. Is a self assessment ok? Or do they need to prove an independant body came in and checked their app against owasp top 10.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37841537
> Is a self assessment ok?
if you trust in such an assessment ...
when security counts a (simple) assessment is not sufficient, you better do source code analysis (SCA) or at least a penetration test, IMHO
you  need to find a balance between the risk you expect and want to mitigate and the costs for the audits, pentests
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 3

Author Comment

by:pma111
ID: 37842087
Understood. Are there any architecture issues with an installation of a "web app". I.e. we focus on the application code itself, but are there any considerations needed for the architecture that supports their application, if so could you provide what assurances youd want from the app owners on architecture? And how that may impact your environment?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37842160
hmm, this sounds like the "how goes the world around" question
there is no general answer to it as it depends on to many factors (OS, language, framework, network, cluster, cloud, ISP, database, threat, risk, knowledge, etc. etc.)
I'd use my favorite search engine and throw in whatever I fell is important :-)
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 37842687
can also considered Web Application security consortium which is well recognised for their criteria in defining evaluation criteria for security testing tools like web scanner and application firewall. These are essentially assets which evaluator has to be equipped and organisation deployed to protect web appl (with current evolved web threats).

understand that policy is rather high level but it should standby close to best recommendation from the vendor as well and layered with more specific security needs by the organisation. e.g. defining the roles and responsibility and access control matrix for each role. For technology lockdown, a checklist from vendor or community helped in setting the baseline closing the low hanging fruits.

http://www.webappsec.org/
http://pajhome.org.uk/security/webchecks.html
http://www.cgisecurity.com/2010/01/wasc-threat-classification-to-owasp-top-ten-rc1-mapping.html

this also include considerations from open standards such as SAML (identity federated), WS-Security for web services, to keep policy open - in other words, avoid tagging to proprietary std else it is not scalable (interoperability issue) and too restrictive for technology to comply and support the requirements.

two cents...
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Easy responsive table out of existing table 28 55
Open Encryption Software Advice needed 4 54
tutorial for ebay api 3 35
Event 4625 - Account Name: _ 3 28
Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question