Proposal for the joint creation of a security standard for Web applications (sites)
Inspired by the latest events related to the problem of confidentiality of personal data in Megafon , MTBank, and so on, and actually the question habrahabr.ru/qa/10352
Recently, I have been carefully following what is happening on the Internet in terms of data security and it sometimes becomes scary that having entered any data into any of the authorities, banks - your information may become available to a wide audience of Internet users. Moreover, my current work is related to the audit of sites and web systems for possible vulnerabilities, primarily not even software ones (although this is a favorite part and clan id for villains) but also logical ones - and I can authoritatively declare that most sites passing through me have critical or serious problems. And through me are Web applications of large organizations whose names are well known to everyone.
For long evenings sitting at a cup of coffee, and analyzing and describing another vulnerability on the site, I often found myself thinking that the world could be safer, safer, cleaner if ...
... if developers were not only developers, but also analysts, managers IT security ... but the world is not perfect, and everyone should do what he does better. Maybe they are ready, but it’s hard for them to understand the possible threats, of which there are more every day. The project manager presses on them for a period of time, and the customer screams that they should have seen this functionality last week. What kind of regular expression test is the input?
You can infinitely argue your actions with good intentions, just like composing motives - anti-arguments, but you can take and do ...
So what am I talking about ... and it's simple - I’m saying that it’s good to have some kind of standard \ guideline / checklist for developers, organizations that could use it, and make sure that their site does not contain at least banal design, data processing errors storage and transfer. The standard in my understanding should cover aspects related to the continuous operation of the site. For example, Hosting, DNS servers and even site users - everything should be taken into account.
Who am I and what can I offer besides an idea?
- I am an IT specialist, with more than 10 years of experience around Web topics. Have experience writing Web sites (PHP Developer). Recently, I became interested in IT security and, as a result, successfully implemented in the organization ISO27001. At the moment, I am in charge of the department responsible for IT audits of sites, web systems, etc. Behind a few dozen audits, several hundred “disassembled” parts of sites with descriptions of holes and recommendations.
Who am I looking for?
People deeply dedicated to IT security, in particular its WEB part. Ideally, this is a person who understands web technologies, IT security, threats. Which has any (or any) certificates associated with the implementation of PCI DSS, ISO 27001. CISA, CISSP is possible and has the time, desire and aspiration. It is important that I do not have the time or the desire to “educate” someone, even if you are full of desire and determination to devote your life to IT security.
How much is willing to pay?
The answer immediately and in the forehead is not at all ready. This is a question that concerns everyone and everyone; today they disclosed the base of the bank of the neighbor, and tomorrow your financial information. I am looking for volunteers.
What could be my interest?
Straight. I suggest collaborative community creation. Perhaps some business idea will grow out of this, for example, an audit to determine whether the site meets the standard XXX-YYYY. Perhaps you will be the site auditor, perhaps the audit from your submission will become a mandatory and integral part of the standard process for the supply of WEB systems in the organization.
what already exists?
Draft outline of document structure ideas
What is the participation process?
While I see it as such: If you decide that you want to participate, then
1. Create an account in Google, tk. without it, you can’t access Google Dox.
2. Send me an account (email address) so that I will share the document with you. For reading the document is available to everyone.
3. If you want to add / change something - drop your email - I will give you access to make changes to the document.
I am interested, I want to try it
cool, then knock on the PM. If we have common interests, it means we are on the way.
Link itself: docs.google.com/document/d/1sbDhyX8Reu8vgEHzhyltXH6dQYzG4lQV7Lmw2ryjsX0/edit?hl=en_US
Recently, I have been carefully following what is happening on the Internet in terms of data security and it sometimes becomes scary that having entered any data into any of the authorities, banks - your information may become available to a wide audience of Internet users. Moreover, my current work is related to the audit of sites and web systems for possible vulnerabilities, primarily not even software ones (although this is a favorite part and clan id for villains) but also logical ones - and I can authoritatively declare that most sites passing through me have critical or serious problems. And through me are Web applications of large organizations whose names are well known to everyone.
For long evenings sitting at a cup of coffee, and analyzing and describing another vulnerability on the site, I often found myself thinking that the world could be safer, safer, cleaner if ...
... if developers were not only developers, but also analysts, managers IT security ... but the world is not perfect, and everyone should do what he does better. Maybe they are ready, but it’s hard for them to understand the possible threats, of which there are more every day. The project manager presses on them for a period of time, and the customer screams that they should have seen this functionality last week. What kind of regular expression test is the input?
You can infinitely argue your actions with good intentions, just like composing motives - anti-arguments, but you can take and do ...
So what am I talking about ... and it's simple - I’m saying that it’s good to have some kind of standard \ guideline / checklist for developers, organizations that could use it, and make sure that their site does not contain at least banal design, data processing errors storage and transfer. The standard in my understanding should cover aspects related to the continuous operation of the site. For example, Hosting, DNS servers and even site users - everything should be taken into account.
Who am I and what can I offer besides an idea?
- I am an IT specialist, with more than 10 years of experience around Web topics. Have experience writing Web sites (PHP Developer). Recently, I became interested in IT security and, as a result, successfully implemented in the organization ISO27001. At the moment, I am in charge of the department responsible for IT audits of sites, web systems, etc. Behind a few dozen audits, several hundred “disassembled” parts of sites with descriptions of holes and recommendations.
Who am I looking for?
People deeply dedicated to IT security, in particular its WEB part. Ideally, this is a person who understands web technologies, IT security, threats. Which has any (or any) certificates associated with the implementation of PCI DSS, ISO 27001. CISA, CISSP is possible and has the time, desire and aspiration. It is important that I do not have the time or the desire to “educate” someone, even if you are full of desire and determination to devote your life to IT security.
How much is willing to pay?
The answer immediately and in the forehead is not at all ready. This is a question that concerns everyone and everyone; today they disclosed the base of the bank of the neighbor, and tomorrow your financial information. I am looking for volunteers.
What could be my interest?
Straight. I suggest collaborative community creation. Perhaps some business idea will grow out of this, for example, an audit to determine whether the site meets the standard XXX-YYYY. Perhaps you will be the site auditor, perhaps the audit from your submission will become a mandatory and integral part of the standard process for the supply of WEB systems in the organization.
what already exists?
Draft outline of document structure ideas
What is the participation process?
While I see it as such: If you decide that you want to participate, then
1. Create an account in Google, tk. without it, you can’t access Google Dox.
2. Send me an account (email address) so that I will share the document with you. For reading the document is available to everyone.
3. If you want to add / change something - drop your email - I will give you access to make changes to the document.
I am interested, I want to try it
cool, then knock on the PM. If we have common interests, it means we are on the way.
Link itself: docs.google.com/document/d/1sbDhyX8Reu8vgEHzhyltXH6dQYzG4lQV7Lmw2ryjsX0/edit?hl=en_US