Solved

IT Security Website

Posted on 2014-10-16
7
198 Views
Last Modified: 2014-10-20
Hi,

we want to create a new website and make sure it is secure. What would be your checklist, main questions to vendors/website providers about the IT security? What would you ask and make sure is in place so that we know we have a secure website?

Thank you,
HelenIT
0
Comment
Question by:HelenIT
7 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40384935
I would make sure your developers are trained on secure coding, do a good Quality Assurance check for it all.  Implement a change control process to make sure all changes are documented and controlled, I would use some version control system.  Once you're live (or about to go live), have a penetration test conducted against it to find any holes you didn't catch previously.  You can request a redacted version of the final report to share with 3rd parties you want to work with (if your pentest vendor doesn't offer this, find a different vendor) once you've remediated the findings.
0
 
LVL 25

Expert Comment

by:madunix
ID: 40385349
As said above, most of attacks can be  easily prevented if the coder/programmer used coding standard and security in the code, so write software that proactively implements parameter checking to insure that the vulnerability is not written into the software, which takes training and standards, and keep testing your software/application for the presence of  vulnerabilities. Additionally, make sure your web server is up-to-date with latest security fixes, Policy backups of the data would be a must, also implement WAF and firewall.
0
 

Author Comment

by:HelenIT
ID: 40386300
Thanks both. Would there be a list that you know of that I could check off as I go along and test?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40386966
I'm sorry, but there's no real good (or widely acceptable) checklist.  Here's what I'd try and capture:

Developers are well trained and practice secure coding

Change Management process and version control is in place

Firewall is in place and configured properly

IPS is in place and configured properly

Optional -- Site is tested by a penetration test, results are acceptable (critical, high, and medium findings are mitigated)
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40387096
I don't know which security tips are related to your systems, but it's a good practice to find two or three sources of information, such as sans.org, owasp.org, csrc.nist.gov pages way you can pick more security tips. You can go from more generalist tips to more specific tips, that seems to be a good approach to secure your servers.

I do the following checkup:

Patches and Updates
Accounts
Files and Directories
Auditing and Logging
Server Certificates
Code Access Security
Code security
Functionality File Uploads
Server Configuration
Backup and Restore
Firewall Protection
Default Password Policy
Disabling Unnecessary Service

I would also read https://code.google.com/p/wasclist/
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 167 total points
ID: 40388666
The OWASP top 10 is exactly the list you want, its the most common mistakes that lead to compromise:
https://www.owasp.org/index.php/Top_10_2013-Top_10

Keep in mind that security does not stop at the page/website level. You need to observe best practices throughout your network, and that goes beyond patching and AV scanning. The principal of least privilege is the single most important one. Check your hosting providers track record, ask them what laws and mandates they are compliant with (PCI/SOX/HIPPA/GLBA/FISMA) and what their process is for staying that way.
-rich
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 333 total points
ID: 40388788
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
The purpose of this video is to demonstrate how to properly insert a Vimeo Video into a WordPress site or Blog. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp…
The purpose of this video is to demonstrate how to add AdSense Ads to a WordPress Website, and how to set up WordPress to automatically place Ads in Sidebars. This will be demonstrated using a Windows 8 PC. Log into your AdSense account. : Cli…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now