Resource: http://www.watsonhall.com/methodology/top10-website-design-security-tips.pl
Website design encompasses the whole of the development life cycle, from initial strategy and planning through to deployment, operation and management. This Top 10 list is for the project instigators and champions - whoever is the lead on a project to create a new website or undertake a modification to an existing one.
This top 10 list is provided free of charge and without any warranty. Use of this top 10 list is subject to the terms of use. Each top 10 list may need to be amended for the particular website project's requirements, functionality and environment.
1 Define and assess the security risks
Define what the security requirements are, how information is classified, a security policy, how the policy will be monitored and who is responsible. List everything that is used, interacted with or altered by the website. Classify the data based on sensitivity and the effect unauthorised modification, release or loss would have on your business. This will assist deciding where the most effort should be placed in protection. For very simple systems with no sensitive data, just insist on some standard security baselines for the project. If the website or web application is more complex or includes sensitive data, consider creating a threat model and identify the threats and possible vulnerabilities. The analysis will assist development of the website''s requirements and is very useful to the development team.
2 Take a holistic view
Information security is not just about preventing theft or damage. It also includes ensuring your website is available, is fast enough, complying with legal and regulatory requirements, providing accurate information, preventing release of confidential information to unauthorised users, protecting your business data and intellectual property from mis-use or loss, inappropriate use, protecting your users, ensuring business continuity and providing the ability to analyse and learn from incidents. Balance the level of security with ease of use and cost constraints.
3 Don't trust anyone else's data (or your own)
Your website will have input from users, but also from other sources such as news feeds, other purchased data and the back-office systems of your own organisation and perhaps of partners. All this data should be validated on input and on output to protect users and systems.
4 Enforce review and approval at each milepost
By undertaking a review of security into the project's mileposts and formal approval, security becomes built into the development process and security issues can be tackled as soon as possible. The earlier security is thought about, the cheaper it is to mitigate risks. Build change control methodology into the design process.
5 Help the development team code securely
Good development practices should ensure that the development team are working to a consistent framework and that developers produce high-quality code. Software will always contain errors, but with training, use of development standards and guidelines, security risks can be minimised. Ensure that you provide enough time to develop the website or web application securely - not just achieve the functionality requirements.
6 Integrate security into the testing programme
All projects must include structured testing. The threat model (see No 4 above) can be used to help create test scenarios. Security testing involves checking what is not allowed as well as the intended functionality. This requires a change in mindset for conventional testers.
7 Build in audit, logging and alerting
Facilities to audit what has occurred on a website through sufficient logging will assist detection of abnormal activity and help identify how problems occurred. By having an early warning of issues, it may be possible to reduce the effect of an incident. Protect the logs from alteration. Ensure the logs include (numeric) user identities where available and are monitored.
8 Deploy the website securely
Development, test and live environments may be configured differently and many security issues can arise because of this. The management of the setup and launch of the website needs to be undertaken in a controlled and defined way to ensure all the security controls are in place and additional vulnerabilities are not created. Document the configuration and any future alterations.
9 Include security in every contract and service level agreement
Define what security protection you need from your suppliers, partners and sub-contractors. Use the same processes to assess their security as you would your own. Identify what security monitoring you require and how security breaches will be detected and disclosed.
10 Consider disaster recovery (and business continuity)
Consider what might cause loss of availability of the website and identify the likelihood of occurrence and the effect on the business. Examine whether actions should be taken to eliminate, reduce, insure or accept the risks.
Monday, August 3, 2009
Subscribe to:
Post Comments (Atom)
RSS Feed (xml)
No comments:
Post a Comment