Solved

IT Security Website

Posted on 2014-10-16
7
216 Views
Last Modified: 2014-10-20
Hi,

we want to create a new website and make sure it is secure. What would be your checklist, main questions to vendors/website providers about the IT security? What would you ask and make sure is in place so that we know we have a secure website?

Thank you,
HelenIT
0
Comment
Question by:HelenIT
7 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40384935
I would make sure your developers are trained on secure coding, do a good Quality Assurance check for it all.  Implement a change control process to make sure all changes are documented and controlled, I would use some version control system.  Once you're live (or about to go live), have a penetration test conducted against it to find any holes you didn't catch previously.  You can request a redacted version of the final report to share with 3rd parties you want to work with (if your pentest vendor doesn't offer this, find a different vendor) once you've remediated the findings.
0
 
LVL 25

Expert Comment

by:madunix
ID: 40385349
As said above, most of attacks can be  easily prevented if the coder/programmer used coding standard and security in the code, so write software that proactively implements parameter checking to insure that the vulnerability is not written into the software, which takes training and standards, and keep testing your software/application for the presence of  vulnerabilities. Additionally, make sure your web server is up-to-date with latest security fixes, Policy backups of the data would be a must, also implement WAF and firewall.
0
 

Author Comment

by:HelenIT
ID: 40386300
Thanks both. Would there be a list that you know of that I could check off as I go along and test?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40386966
I'm sorry, but there's no real good (or widely acceptable) checklist.  Here's what I'd try and capture:

Developers are well trained and practice secure coding

Change Management process and version control is in place

Firewall is in place and configured properly

IPS is in place and configured properly

Optional -- Site is tested by a penetration test, results are acceptable (critical, high, and medium findings are mitigated)
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40387096
I don't know which security tips are related to your systems, but it's a good practice to find two or three sources of information, such as sans.org, owasp.org, csrc.nist.gov pages way you can pick more security tips. You can go from more generalist tips to more specific tips, that seems to be a good approach to secure your servers.

I do the following checkup:

Patches and Updates
Accounts
Files and Directories
Auditing and Logging
Server Certificates
Code Access Security
Code security
Functionality File Uploads
Server Configuration
Backup and Restore
Firewall Protection
Default Password Policy
Disabling Unnecessary Service

I would also read https://code.google.com/p/wasclist/
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 40388666
The OWASP top 10 is exactly the list you want, its the most common mistakes that lead to compromise:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Keep in mind that security does not stop at the page/website level. You need to observe best practices throughout your network, and that goes beyond patching and AV scanning. The principal of least privilege is the single most important one. Check your hosting providers track record, ask them what laws and mandates they are compliant with (PCI/SOX/HIPPA/GLBA/FISMA) and what their process is for staying that way.
-rich
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40388788
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…
The purpose of this video is to demonstrate how to set up the permalinks on a WordPress Website. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Go t…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question