oasp / oasp4j

The Open Application Standard Platform for Java
Apache License 2.0
60 stars 303 forks source link

Deployment security guidelines #85

Open maybeec opened 10 years ago

maybeec commented 10 years ago

Security is an ongoing topic as demonstrated by the latest issues: Heartbleed, Shellshock and Poodle Attack regarding the vulnerability of SSLv3

When deploying software, we have to cope with multiple configuration tasks of different technologies like apache, tomcat or maybe also mail servers like postfix. On the latest ccc-conference a nice collection of the latest recommended configurations have been published. We should possibly add a security documentation section, which covers the general problem on infrastructure configuration. I think the paper of the ccc-conference is a good starting point.

hohwille commented 10 years ago

You want to address OWASP A5 and A9 better: https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities

That is a great opportunity. I want to see all top 10 issues addressed by OWASP so go ahead.

maybeec commented 10 years ago

I think theses issues are additional ones. So in general the OWASP A5 gives you a good understanding what is misconfiguration and how you can avoid it in general. Nevertheless, some has to get deep into this topic to gain the information what he/she has to configure in his/her specific environment.

The paper I mentioned is only about configuration plots, which gives you the hint of securing specific technologies with the current features and security understanding.

[OWASP A9]8https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities) is also very nice, but maybe with a greater focus on the OASP maintenance. Thus we should check our used technologies for vulnerabilities and document such technology versions to be not used. Furthermore, we might want to provide the links to the search engines to search for vulnerable versions of any technology. I will have also have a look at these search engines whether they provide enough information at the current state.

hohwille commented 9 years ago

Furthermore, we might want to provide the links to the search engines to search for vulnerable versions of any technology.

I already had added the link the CVE newsletter to our security guide: https://cve.mitre.org/news/newsletter.html