Pau Lo
asked on
CMS audit tests
what kind of checks would be useful for an audit/healtcheck of a content management system. I am not just talking about the security hardening aspects of the platform itself and supporting technology stack, but looking for evidence of general good practice in terms of the management/administration and anything else that can 'slip' if procedures & controls are not effective. I am trying to draw up a proper list of things to check.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check if Memory leak.. memory / service become bigger and bigger ...
Check if hardware can support the software, that could be space on the drive, memory to run the application.
If you have 10 users using the application at the same time it very different than if you have 200 concurrent users.
All web service need to be monitored
Check if hardware can support the software, that could be space on the drive, memory to run the application.
If you have 10 users using the application at the same time it very different than if you have 200 concurrent users.
All web service need to be monitored
Suggestion: Without a money context, there's no easy way to answer your question.
A site generating $1K/month compared to a site generating $100K/month are completely different approaches.
Start by describing your monthly site income + type of site (opt-in gathering, video LMS, membership forums), as both monthly income + site type are required to both correctly size hardware + also determine how to run hot spares.
So for $1K/month income, likely you won't run any hot spare. For anything over $10K/month income, I personally run hot spares.
A site generating $1K/month compared to a site generating $100K/month are completely different approaches.
Start by describing your monthly site income + type of site (opt-in gathering, video LMS, membership forums), as both monthly income + site type are required to both correctly size hardware + also determine how to run hot spares.
So for $1K/month income, likely you won't run any hot spare. For anything over $10K/month income, I personally run hot spares.
CMS audit would also have to undergo the same regime like OWASP check and secure by default approach to isolate the blast area where untrusted codes can be injected should be mitigated via (1) digitally signing all the codes and libraries as well as there are (2) strict version control regime compliance and (3) secure deployment of services based on doer-checker enforcement.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is consideration for the type of CMS too e.g. Open source CMS lets anyone look at the code, and therefore increases the chances of finding vulnerabilities. However, there’s no guarantee that the code will be reviewed by independent security researchers. Closed-source CMS is often owned by a company which spends money on internal code review and security testing.
There’s a lot you can do to make sure security risks are alleviated when it comes to maintaining a CMS tool.
1. Clean up your plugins - In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk.
2. Scan for vulnerabilities - It’s common for CMS to be hosted on a platform that’s different from the main web application. For example, blog.company.com may be hosted on a CMS like WordPress which is not regularly monitored by a web development team and the code may not always be reviewed after updates or adding features.
3. 2FA and requirements for complicated passwords
4. Always use the latest version of the software
5. Subscribe to product and security updates from the vendor via social media or mailing lists
6. Cloud or non Cloud infrastructure - Securing IaaS, PaaS and SaaS has different control that user can take control with. The concern is more on how is your sensitive data secured and based on lower risk appetite, more control using IaaS is preferred as compared to the other deployment modes.
There’s a lot you can do to make sure security risks are alleviated when it comes to maintaining a CMS tool.
1. Clean up your plugins - In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk.
2. Scan for vulnerabilities - It’s common for CMS to be hosted on a platform that’s different from the main web application. For example, blog.company.com may be hosted on a CMS like WordPress which is not regularly monitored by a web development team and the code may not always be reviewed after updates or adding features.
3. 2FA and requirements for complicated passwords
4. Always use the latest version of the software
5. Subscribe to product and security updates from the vendor via social media or mailing lists
6. Cloud or non Cloud infrastructure - Securing IaaS, PaaS and SaaS has different control that user can take control with. The concern is more on how is your sensitive data secured and based on lower risk appetite, more control using IaaS is preferred as compared to the other deployment modes.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
-server settings and hardware
-services and memory