Template for Web Security Standard (tss-web)


Download 168.82 Kb.
NameTemplate for Web Security Standard (tss-web)
page1/10
A typeDocumentation
  1   2   3   4   5   6   7   8   9   10



Template for Web Security Standard (TSS-WEB)

Version 1.3.1 (Draft)





A Standard by Secodis GmbH

Licensed under Creative Commons License


About TSS-WEB

This document consists of exemplary content for a (mainly) technical security standard for web-based applications and services. It may be used as a template for a custom organization-specific security standard or just a collection of suggestions of baseline requirements for teams and projects. All requirements in this documents are based on common best practices in combination with our own experiences in this field.

The current version of this document is available at https://www.secodis.com/tss-web in various file formats. Please post any questions, suggestions or errors you find to the forum https://groups.google.com/d/forum/tss-web or via mail to tss-web@googlegrooups.com.

Note about English translation (Draft): This is the first English translation of the original German document that has been worked on for a while in the community. This version may therefore consist of some translation “bugs” which is why it is, other than the German document, published as draft.

License

This document is licensed under Creative Commons By 4.0 International License (http://creativecommons.org/licenses/by/4.0). Any Die duplication, distribution and changes to it for internal proposes are permitted. Changed versions of this document don’t have to be distributed under the same license (no copy left or share a like) but must reference the author and source of this document.

Matthias Rohr
Secodis GmbH


Document History

Version

Date

Changes

1.0

20.02.2015

Initial release (German)







1.3 (Draft)

29.8.2016

Initial English version based on a complete review of the standards with a lot of improvements and corrections.

1.3.1 (Draft)

28.11.2016

  • Changes to CSP statements

  • CVSS scoring added to security of 3rd party components










Security Standard for
Web-based Applications

Example Inc.

Version: 1.0

Classification: INTERNAL



Table of Contents

Introduction 7

Scope 7

Types of Requirements 7

Definitions 7

Roles 8

Protection Classes 8

Remediation of Vulnerabilities 10

Operational Requirements 11

Protection of Source and Program Code 13

Security of Development Process 14

Security Tests 16

Supplier Requirements 17

Implementation Requirements 18

General Principles 18

Input Validation 18

File Uploads and File Downloads 19

Output Validation (Encoding & Escaping) 19

User Authentication and Registration 20

User Passwords I: Strength and Usage 21

User Passwords II: Changing und Reset 21

Authentication at Backend Services 22

Authentication at Frontend Services (e.g. AJAX) 22

See section 8.16 („Web Services and XML Parser“). 22

Hardening of Session Management 22

Access Controls 23

Error Handling & Logging 23

Data Security & Cryptography 23

Management of Technical Keys 24

Client-Side Security 24

Web Services and XML Parser 24

Appendix A: HTTP Security Header 26

Appendix B: Common Vulnerabilities in Web Applications (OWASP Top Ten) 28



Document Properties


Location




tbd






Owner




tbd







Type




Technical Standard






Classification




For internal use only (INTERNAL)






Next Review




tbd








Referenced Documents

Document

Location

TSS-WEB version 1.3.1 (Template)

https://www.secodis.com/tss-web

Information Security Policy




tbd






Password Policy




tbd









Contacts for this Document

Name

E-Mail

Section















Document History

Version

Date




Changes




Changed By




0.1






24.12.2016






Initial document based on TSS-WEB v1.3.1







John Doe






































  1   2   3   4   5   6   7   8   9   10

Share in:

Related:

Template for Web Security Standard (tss-web) iconWeb Security Standard Template

Template for Web Security Standard (tss-web) iconAbstract As web developers we try to design systems that can protect...

Template for Web Security Standard (tss-web) iconAbstract : Security on the Web continues to be a significant concern...

Template for Web Security Standard (tss-web) iconFor over 14 years I have been a ux/ui designer, Web Designer and...

Template for Web Security Standard (tss-web) iconFront End Web Developer–Web Producer– Online Production Exper t

Template for Web Security Standard (tss-web) iconTechnology is used to create web application (resides at server side...

Template for Web Security Standard (tss-web) iconFront End Web Development ● Web/Graphic Design

Template for Web Security Standard (tss-web) iconEX: Servlet, jsp dynamic web resource programs are also known as...

Template for Web Security Standard (tss-web) iconHigh-Tech Bridge introduces ImmuniWeb hybrid web app security assessment...

Template for Web Security Standard (tss-web) iconLiving Internet Web Site Template User Manual Version 2006-01-01




forms and shapes


When copying material provide a link © 2017
contacts
filling-form.info
search