Security Audit of Production Web Site/Data Service

[ericvaandering]

Original Savannah ticket 10204 reported by None on Wed Jun 24 05:07:05 2009.

According to the webtools service level agreement, we must perform a security audit of our web services by the end of August. We run the following on cmsweb machines:

PhEDEx Web Page server / application code PhEDEx GraphTool server / application PhEDEx Data Service server / application code

The SLA is here:

https://twiki.cern.ch/twiki/bin/view/CMS/DMWTServiceLevelAgreement

We must (see twiki for URLs)

1. Must implement the recommendations from the CERN security introduction to software developers: Checklist, Seminar, Info.
2. Must positively confirm the project does not implement any of "The Six Dumbest Ideas in Computer Security", including "the minor dumbs."
3. Must provide a review summary and actions taken on each item listed in the SANS "TOP 25 Most Dangerous Programming Errors."

[ericvaandering]

Comment by egeland on Wed Oct 7 05:21:51 2009

Audit was completed. Now we need to make new releases implementing our own recommendations.

[ericvaandering]

Comment by egeland on Fri Oct 9 12:38:50 2009

We should switch to a production version of the services implementing fixes for our own audit findings by November 15.