Solved

IT Security Website

Posted on 2014-10-16
7
204 Views
Last Modified: 2014-10-20
Hi,

we want to create a new website and make sure it is secure. What would be your checklist, main questions to vendors/website providers about the IT security? What would you ask and make sure is in place so that we know we have a secure website?

Thank you,
HelenIT
0
Comment
Question by:HelenIT
7 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40384935
I would make sure your developers are trained on secure coding, do a good Quality Assurance check for it all.  Implement a change control process to make sure all changes are documented and controlled, I would use some version control system.  Once you're live (or about to go live), have a penetration test conducted against it to find any holes you didn't catch previously.  You can request a redacted version of the final report to share with 3rd parties you want to work with (if your pentest vendor doesn't offer this, find a different vendor) once you've remediated the findings.
0
 
LVL 25

Expert Comment

by:madunix
ID: 40385349
As said above, most of attacks can be  easily prevented if the coder/programmer used coding standard and security in the code, so write software that proactively implements parameter checking to insure that the vulnerability is not written into the software, which takes training and standards, and keep testing your software/application for the presence of  vulnerabilities. Additionally, make sure your web server is up-to-date with latest security fixes, Policy backups of the data would be a must, also implement WAF and firewall.
0
 

Author Comment

by:HelenIT
ID: 40386300
Thanks both. Would there be a list that you know of that I could check off as I go along and test?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40386966
I'm sorry, but there's no real good (or widely acceptable) checklist.  Here's what I'd try and capture:

Developers are well trained and practice secure coding

Change Management process and version control is in place

Firewall is in place and configured properly

IPS is in place and configured properly

Optional -- Site is tested by a penetration test, results are acceptable (critical, high, and medium findings are mitigated)
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40387096
I don't know which security tips are related to your systems, but it's a good practice to find two or three sources of information, such as sans.org, owasp.org, csrc.nist.gov pages way you can pick more security tips. You can go from more generalist tips to more specific tips, that seems to be a good approach to secure your servers.

I do the following checkup:

Patches and Updates
Accounts
Files and Directories
Auditing and Logging
Server Certificates
Code Access Security
Code security
Functionality File Uploads
Server Configuration
Backup and Restore
Firewall Protection
Default Password Policy
Disabling Unnecessary Service

I would also read https://code.google.com/p/wasclist/
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 40388666
The OWASP top 10 is exactly the list you want, its the most common mistakes that lead to compromise:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Keep in mind that security does not stop at the page/website level. You need to observe best practices throughout your network, and that goes beyond patching and AV scanning. The principal of least privilege is the single most important one. Check your hosting providers track record, ask them what laws and mandates they are compliant with (PCI/SOX/HIPPA/GLBA/FISMA) and what their process is for staying that way.
-rich
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40388788
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
This guide will walk you through the essential considerations and tech stack for building scalable websites. Know how to grow your business the smart way!
The purpose of this video is to demonstrate how to add AdSense Ads to a WordPress Website, and how to set up WordPress to automatically place Ads in Sidebars. This will be demonstrated using a Windows 8 PC. Log into your AdSense account. : Cli…
The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now