[prev in list] [next in list] [prev in thread] [next in thread]
List: security-basics
Subject: RE: protecting web apps for governments
From: "Ward, Jon" <Jon_Ward () SYNTELINC ! COM>
Date: 2012-06-19 17:25:17
Message-ID: 7F3F6B512AF9414789943E9CD953BFF1043A6566 () crycorexch01 ! syntelorg ! com
[Download RAW message or body]
It's not too much. That's pretty standard, actually. Not all code
changes will require a full penetration test, but every change needs to
be evaluated by a qualified entity to determine its potential
implications. My team performs a hand full of testing types (automated
and manual) for each application release as an integral part of our
customers' SDLCs. In some cases, that equates to a full pen test a few
times per year per application. That depends on analysis of a
combination of risk factors. For example, an application that has a
modification to some hard-coded text won't necessarily need a full
pen-test, but if that application is modified to accept new inputs or
access a database in a new way will definitely need some testing.
Due to the nature of web applications, we have the luxury of being able
to automate a large portion of security testing. That option provides a
lot of scalability.
I work for an organization that handles this whole vulnerability testing
process. Let me know if you'd like more info about what services we can
offer.
Jon Ward, CEPT, CISA
Syntel, Inc. - Information Security
jon_ward@syntelinc.com
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of marco cohen
Sent: Tuesday, June 19, 2012 10:23 AM
To: security-basics@securityfocus.com
Subject: protecting web apps for governaments
HI all
Im doing a consulting for one of the governaments in europe.
the idea is to create a most secure segment in which we will locate
all the web apps of the gov and to protect them from any attack. we
will buy equipment like SIEM, HIDS IPS, Firewalls and WAF and
prevention of DDOS attacks.
but additionaly to this I am working on policies to implement
heardening of operation system of those servers.
I am considering also politices of code review (in this process algo
input validation), and twice a year pentest to all the 200 web sites.
I am wondering if also doing code review for every change in the those
web apps + pentest 2 time a year + WAF.
ISNT THAT TO MUCH FOR PROTECTING THE WEB SERVERS??
thanks a lot!
marco
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate. We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL \
certificate. We look at how SSL works, how it benefits your company and how your \
customers can tell if a site is secure. You will find out how to test, purchase, \
install and use a thawte Digital Certificate on your Apache web server. Throughout, \
best practices for set-up are highlighted to help you ensure efficient ongoing \
management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic