Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Web policy benchmark

Posted on 2012-04-12
6
Medium Priority
?
534 Views
Last Modified: 2012-06-27
Do (for larger organisations especially) you have any sort of security policy/benchmark for any appliactions that you host on your web servers which were developed by either internal web dev guys or external parties? Say for example 3rd parties develop some apps on your behalf, but the data is yours, ie on your private servers, do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers? If so what is the name of this policy? And what does it cover?

Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 37841282
> ... do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers ...

I'd remove the "3rd party" in this question as all apps need to have the same security level
the difference between 3rd party and internal dev guys is just a legal one

according policies, a minimum requirement would be
  https://www.owasp.org/index.php/Top_10_2010  OWASP Top 10
  https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  http://cwe.mitre.org/top25/  CWE/SANS Top 25

this requirement could be part of a contract with 3rd party developers
0
 
LVL 3

Author Comment

by:pma111
ID: 37841423
So the developers would prove compliance that their code address, for example the owasp top 10. Is a self assessment ok? Or do they need to prove an independant body came in and checked their app against owasp top 10.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37841537
> Is a self assessment ok?
if you trust in such an assessment ...
when security counts a (simple) assessment is not sufficient, you better do source code analysis (SCA) or at least a penetration test, IMHO
you  need to find a balance between the risk you expect and want to mitigate and the costs for the audits, pentests
0
PowerShell Core for Advanced Linux Administrators

Understand advanced principals around Powershell Core with a focus on the Linux Administrator.  This course covers how to administer numerous environments across multiple platforms including Linux, Azure, AWS, and Google Cloud from a single shell instance.

 
LVL 3

Author Comment

by:pma111
ID: 37842087
Understood. Are there any architecture issues with an installation of a "web app". I.e. we focus on the application code itself, but are there any considerations needed for the architecture that supports their application, if so could you provide what assurances youd want from the app owners on architecture? And how that may impact your environment?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37842160
hmm, this sounds like the "how goes the world around" question
there is no general answer to it as it depends on to many factors (OS, language, framework, network, cluster, cloud, ISP, database, threat, risk, knowledge, etc. etc.)
I'd use my favorite search engine and throw in whatever I fell is important :-)
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 37842687
can also considered Web Application security consortium which is well recognised for their criteria in defining evaluation criteria for security testing tools like web scanner and application firewall. These are essentially assets which evaluator has to be equipped and organisation deployed to protect web appl (with current evolved web threats).

understand that policy is rather high level but it should standby close to best recommendation from the vendor as well and layered with more specific security needs by the organisation. e.g. defining the roles and responsibility and access control matrix for each role. For technology lockdown, a checklist from vendor or community helped in setting the baseline closing the low hanging fruits.

http://www.webappsec.org/
http://pajhome.org.uk/security/webchecks.html
http://www.cgisecurity.com/2010/01/wasc-threat-classification-to-owasp-top-ten-rc1-mapping.html

this also include considerations from open standards such as SAML (identity federated), WS-Security for web services, to keep policy open - in other words, avoid tagging to proprietary std else it is not scalable (interoperability issue) and too restrictive for technology to comply and support the requirements.

two cents...
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
What we learned in Webroot's webinar on multi-vector protection.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question