Proposal for the joint creation of a standard of security for Web applications (sites)
Inspired by the latest events related to the problem of confidentiality of personal data in Megafon , MTBank, and so on and the question itself habrahabr.ru/qa/10352
Recently, I carefully monitor what is happening on the Internet in terms of data security and sometimes it becomes scary that entering any data into any of the bodies, banks - your information may become available to a wide audience of Internet users. Moreover, my current work is related to the audit of sites and web systems for possible vulnerabilities, not even software at first (although this is the favorite part and klandayk for villains) but logical ones and I can say with authority that most of the sites passing through me have critical or serious problems. And through me pass Web applications of large organizations, whose names are on everyone's lips.
I spent long evenings sitting at a cup of coffee, and examining and describing the next vulnerability on the site, I often found myself thinking that the world could be more secure, safer, cleaner if ...
... if the developers were not only developers, but also analysts, IT security managers ... but the world is not perfect, and everyone should do what he can do better. Maybe they are ready, but it is difficult for them to understand the possible threats, of which there are more every day. They are pressed by the project manager with deadlines, and the customer shouts that they should have seen this functionality last week. What kind of validation does regular input data have?
')
You can endlessly argue your actions with good intentions, just like composing motives — anti-arguments, or you can take and do ...
So, what am I talking about ... and everything is simple - I’m saying that it would be good to have some standard \ guideline \ checklist for developers, organizations that could use it, and make sure that their website at least does not contain common design errors, data processing , storage and transfer. The standard in my understanding should cover aspects related to the continuous operation of the site. For example, Hosting, DNS servers and even site users - everything should be taken into account.
Who am I and what can I offer besides the idea?
- I am Ichnik, with over 10 years of experience on a Web topic. Have experience writing Web sites (PHP Developer). Recently, I became interested in IT security and, as a result, ISO27001 successfully implemented in the organization. At the moment, I am in charge of the department responsible for IT audits of websites, web systems, etc. There are several dozens of audits, several hundreds of “disassembled” in parts of sites with descriptions of holes and recommendations.
Who am I looking for?
People deeply devoted to IT security, in particular its WEB part. Ideally, this is a person who understands web technologies, IT security, threats. Which has any certificates (or any certificates) associated with the implementation of PCI DSS, ISO 27001. Perhaps CISA, CISSP and has the time, desire and desire. It is important that I do not have the time or the desire to “train” someone, even if you are full of desire and determination to devote your life to IT security.
How much is willing to pay?
The answer immediately and in the forehead is not at all ready. This is a question for everyone, today they have announced the base of the neighbor’s bank, and tomorrow your financial information. I'm looking for volunteers.
What could be my interest?
Straight. I propose a joint creation of the community. Perhaps some kind of business idea will grow out of this, for example, an audit for compliance of the site with the XXX-YYYY standard. Perhaps you will be the site auditor, perhaps an audit with your submission will become an indispensable and integral part of the standard process for the delivery of WEB systems in the organization.
what already exists?
Draft outline of the structure of the document
What is the participation process?
For now, I see it as such: If you decide that you want to participate then
1. Create an account in Google, because without it, you will not be able to access google.
2. Send me an account (email address) so that I can share the document with you. For reading the document is available to everyone.
3. If you want to add / change something - drop your email - I will give access to make changes to the document
I'm curious, I want to try
Great, then knock on the PM. If we have common interests, it means to us along the way.
Actually link: docs.google.com/document/d/1sbDhyX8Reu8vgEHzhyltXH6dQYzG4lQV7Lmw2ryjsX0/edit?hl=en_US
Recently, I carefully monitor what is happening on the Internet in terms of data security and sometimes it becomes scary that entering any data into any of the bodies, banks - your information may become available to a wide audience of Internet users. Moreover, my current work is related to the audit of sites and web systems for possible vulnerabilities, not even software at first (although this is the favorite part and klandayk for villains) but logical ones and I can say with authority that most of the sites passing through me have critical or serious problems. And through me pass Web applications of large organizations, whose names are on everyone's lips.
I spent long evenings sitting at a cup of coffee, and examining and describing the next vulnerability on the site, I often found myself thinking that the world could be more secure, safer, cleaner if ...
... if the developers were not only developers, but also analysts, IT security managers ... but the world is not perfect, and everyone should do what he can do better. Maybe they are ready, but it is difficult for them to understand the possible threats, of which there are more every day. They are pressed by the project manager with deadlines, and the customer shouts that they should have seen this functionality last week. What kind of validation does regular input data have?
')
You can endlessly argue your actions with good intentions, just like composing motives — anti-arguments, or you can take and do ...
So, what am I talking about ... and everything is simple - I’m saying that it would be good to have some standard \ guideline \ checklist for developers, organizations that could use it, and make sure that their website at least does not contain common design errors, data processing , storage and transfer. The standard in my understanding should cover aspects related to the continuous operation of the site. For example, Hosting, DNS servers and even site users - everything should be taken into account.
Who am I and what can I offer besides the idea?
- I am Ichnik, with over 10 years of experience on a Web topic. Have experience writing Web sites (PHP Developer). Recently, I became interested in IT security and, as a result, ISO27001 successfully implemented in the organization. At the moment, I am in charge of the department responsible for IT audits of websites, web systems, etc. There are several dozens of audits, several hundreds of “disassembled” in parts of sites with descriptions of holes and recommendations.
Who am I looking for?
People deeply devoted to IT security, in particular its WEB part. Ideally, this is a person who understands web technologies, IT security, threats. Which has any certificates (or any certificates) associated with the implementation of PCI DSS, ISO 27001. Perhaps CISA, CISSP and has the time, desire and desire. It is important that I do not have the time or the desire to “train” someone, even if you are full of desire and determination to devote your life to IT security.
How much is willing to pay?
The answer immediately and in the forehead is not at all ready. This is a question for everyone, today they have announced the base of the neighbor’s bank, and tomorrow your financial information. I'm looking for volunteers.
What could be my interest?
Straight. I propose a joint creation of the community. Perhaps some kind of business idea will grow out of this, for example, an audit for compliance of the site with the XXX-YYYY standard. Perhaps you will be the site auditor, perhaps an audit with your submission will become an indispensable and integral part of the standard process for the delivery of WEB systems in the organization.
what already exists?
Draft outline of the structure of the document
What is the participation process?
For now, I see it as such: If you decide that you want to participate then
1. Create an account in Google, because without it, you will not be able to access google.
2. Send me an account (email address) so that I can share the document with you. For reading the document is available to everyone.
3. If you want to add / change something - drop your email - I will give access to make changes to the document
I'm curious, I want to try
Great, then knock on the PM. If we have common interests, it means to us along the way.
Actually link: docs.google.com/document/d/1sbDhyX8Reu8vgEHzhyltXH6dQYzG4lQV7Lmw2ryjsX0/edit?hl=en_US
Source: https://habr.com/ru/post/126306/
All Articles