Thanks again to Doug and Grant for taking time to brief us on current web security trends. A few of our notes are below but check out their site Jacadis Web Security Firm to get all the details.
Ultra Basic Web Security Practices
- Check out the OWASP standards for best practices on website security here OWASP
- Adopt a minimum standard such as OWASP Top 10 or Top 20 and make sure all web developers follow those practices at a minimum
- Have all staff that touch client software projects (Web developers, Mobile Application Developers, Data Base Architects, even Project Managers) read and sign off that they will commit to these standards
- Have at least an annual (Quarterly is prefered) staff meeting to review changes in the industry
- Run industry standard website penetration testing prior to launching a web application
- Run the same industry standard web security software after major upgrades or if possible quarterly to ensure no new threats have been identified
More Advanced Strategies for Website Security
- Create a basic brochure or document for all your clients that educates them on why they need to invest time and money in website security
- Create tiered security levels and commit to following minimum standards for each tier
- Tiers could be (Tier 1: No expose to the web or confidential information, Tier 3: HIPAA, COPPA, FERPA data stored)
- Include based security standards such as an open source vulnerability test for all website and mobile applications you develop as a default practice for all your projects
Thanks again to the team at Jacadis for presenting at our event.