[WEB SECURITY] Securing a website

Ofer Shezaf Ofer.Shezaf at breach.com
Thu Jun 9 16:54:00 EDT 2005


I think that the PCI standard is probably the best requirements document
regarding securing a web site, but it is not very helpful regarding
implementation. 

In general using an external document that does not address your
specific needs for the implantation phase is not recommended, especially
when dealing with the application layer which tends to be different from
one site to the other. The issues you raise also seem to be related to
the development phase as much as to the deployment phase.

Saying that these documents may help you:

Improving Web Application Security: Threats and Countermeasures (please
no flames. It is good even though it came from Microsoft)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
c/html/ThreatCounter.asp

The OWASP guide:
http://www.owasp.org/documentation/guide.html


~ Ofer

Ofer Shezaf
CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers at breach.com
http://www.breach.com


> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
> Sent: Thursday, June 09, 2005 11:34 PM
> To: Web Security
> Subject: Re: [WEB SECURITY] Securing a website
> 
> I've been recommending the Payment Card Industry (PCI) Data Security
> Standard, jointly developed by Visa and Master Card. The documentation
> includes all the essentials guidelines and even an audit program.
> Simply substitute "cardholder data" with whatever your protecting and
> slice out anything you don't need.
> 
> Here are the some relevant links:
> http://usa.visa.com/business/accepting_visa/ops_risk_management/
> cisp.html
> 
> http://usa.visa.com/business/accepting_visa/ops_risk_management/
> cisp_training_tools.html?it=l2|/business/accepting_visa/
> ops_risk_management/cisp%2Ehtml|Training%20and%20Tools
> 
> Jeremiah-
> 
> 
> 
> On Thursday, June 9, 2005, at 01:01  PM, Paul Ryan wrote:
> 
> > All - I'm looking for a technical document for deploying a web
server
> > in a
> > DMZ, I would like to make recommendation wrt to the website
> > implementation
> > (i.e web login, user grouping etc). The hardening portion of the
> > actual box
> > I have covered as it is a Unix server - just not sure of the best
> > method for
> > the web page security...
> >
> > best regards,
> >
> > Paul Ryan
> >
> >
> >
---------------------------------------------------------------------
> > The Web Security Mailing List
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list