Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 224
  • Last Modified:

IT Security Website

Hi,

we want to create a new website and make sure it is secure. What would be your checklist, main questions to vendors/website providers about the IT security? What would you ask and make sure is in place so that we know we have a secure website?

Thank you,
HelenIT
0
HelenIT
Asked:
HelenIT
3 Solutions
 
Sean JacksonCommented:
I would make sure your developers are trained on secure coding, do a good Quality Assurance check for it all.  Implement a change control process to make sure all changes are documented and controlled, I would use some version control system.  Once you're live (or about to go live), have a penetration test conducted against it to find any holes you didn't catch previously.  You can request a redacted version of the final report to share with 3rd parties you want to work with (if your pentest vendor doesn't offer this, find a different vendor) once you've remediated the findings.
0
 
madunixChief Information Security Officer Commented:
As said above, most of attacks can be  easily prevented if the coder/programmer used coding standard and security in the code, so write software that proactively implements parameter checking to insure that the vulnerability is not written into the software, which takes training and standards, and keep testing your software/application for the presence of  vulnerabilities. Additionally, make sure your web server is up-to-date with latest security fixes, Policy backups of the data would be a must, also implement WAF and firewall.
0
 
HelenITAuthor Commented:
Thanks both. Would there be a list that you know of that I could check off as I go along and test?
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
Sean JacksonCommented:
I'm sorry, but there's no real good (or widely acceptable) checklist.  Here's what I'd try and capture:

Developers are well trained and practice secure coding

Change Management process and version control is in place

Firewall is in place and configured properly

IPS is in place and configured properly

Optional -- Site is tested by a penetration test, results are acceptable (critical, high, and medium findings are mitigated)
0
 
madunixChief Information Security Officer Commented:
I don't know which security tips are related to your systems, but it's a good practice to find two or three sources of information, such as sans.org, owasp.org, csrc.nist.gov pages way you can pick more security tips. You can go from more generalist tips to more specific tips, that seems to be a good approach to secure your servers.

I do the following checkup:

Patches and Updates
Accounts
Files and Directories
Auditing and Logging
Server Certificates
Code Access Security
Code security
Functionality File Uploads
Server Configuration
Backup and Restore
Firewall Protection
Default Password Policy
Disabling Unnecessary Service

I would also read https://code.google.com/p/wasclist/
0
 
Rich RumbleSecurity SamuraiCommented:
The OWASP top 10 is exactly the list you want, its the most common mistakes that lead to compromise:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Keep in mind that security does not stop at the page/website level. You need to observe best practices throughout your network, and that goes beyond patching and AV scanning. The principal of least privilege is the single most important one. Check your hosting providers track record, ask them what laws and mandates they are compliant with (PCI/SOX/HIPPA/GLBA/FISMA) and what their process is for staying that way.
-rich
0
 
madunixChief Information Security Officer Commented:
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now