Solved

IT Security Website

Posted on 2014-10-16
7
211 Views
Last Modified: 2014-10-20
Hi,

we want to create a new website and make sure it is secure. What would be your checklist, main questions to vendors/website providers about the IT security? What would you ask and make sure is in place so that we know we have a secure website?

Thank you,
HelenIT
0
Comment
Question by:HelenIT
7 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40384935
I would make sure your developers are trained on secure coding, do a good Quality Assurance check for it all.  Implement a change control process to make sure all changes are documented and controlled, I would use some version control system.  Once you're live (or about to go live), have a penetration test conducted against it to find any holes you didn't catch previously.  You can request a redacted version of the final report to share with 3rd parties you want to work with (if your pentest vendor doesn't offer this, find a different vendor) once you've remediated the findings.
0
 
LVL 25

Expert Comment

by:madunix
ID: 40385349
As said above, most of attacks can be  easily prevented if the coder/programmer used coding standard and security in the code, so write software that proactively implements parameter checking to insure that the vulnerability is not written into the software, which takes training and standards, and keep testing your software/application for the presence of  vulnerabilities. Additionally, make sure your web server is up-to-date with latest security fixes, Policy backups of the data would be a must, also implement WAF and firewall.
0
 

Author Comment

by:HelenIT
ID: 40386300
Thanks both. Would there be a list that you know of that I could check off as I go along and test?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40386966
I'm sorry, but there's no real good (or widely acceptable) checklist.  Here's what I'd try and capture:

Developers are well trained and practice secure coding

Change Management process and version control is in place

Firewall is in place and configured properly

IPS is in place and configured properly

Optional -- Site is tested by a penetration test, results are acceptable (critical, high, and medium findings are mitigated)
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40387096
I don't know which security tips are related to your systems, but it's a good practice to find two or three sources of information, such as sans.org, owasp.org, csrc.nist.gov pages way you can pick more security tips. You can go from more generalist tips to more specific tips, that seems to be a good approach to secure your servers.

I do the following checkup:

Patches and Updates
Accounts
Files and Directories
Auditing and Logging
Server Certificates
Code Access Security
Code security
Functionality File Uploads
Server Configuration
Backup and Restore
Firewall Protection
Default Password Policy
Disabling Unnecessary Service

I would also read https://code.google.com/p/wasclist/
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 40388666
The OWASP top 10 is exactly the list you want, its the most common mistakes that lead to compromise:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Keep in mind that security does not stop at the page/website level. You need to observe best practices throughout your network, and that goes beyond patching and AV scanning. The principal of least privilege is the single most important one. Check your hosting providers track record, ask them what laws and mandates they are compliant with (PCI/SOX/HIPPA/GLBA/FISMA) and what their process is for staying that way.
-rich
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40388788
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
opensource email gateway 9 66
Document that shows Russian Security Threats 1 44
Security Overview Report 8 51
Upgrade BIOS / EUFI at Scale 4 34
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question