WEB APPLICATION SECURITY POLICY

Web Application Security Policy Development Overview

How many times have you either heard or asked "Is my site secure?" Until you define what 'secure' means for your site, the question is impossible to answer. An application security policy is this definition. What makes one web application secure is frequently completely different from what it takes for another to be secure. The enormous diversity of purpose, size, complexity, environment, and specific security concerns for web sites makes each site's security policy unique. Without documenting what 'secure' means for your web site, you are inherently insecure because you have no way of measuring how secure you really are.

MUSINGWAY can develop or review a web application's security policy to ensure that what 'secure' means is precisely defined for your site. Once defined, a site security policy focuses your technical team on making appropriate and consistent design and implementation decisions that affect security during the development and maintenance of your custom web application. A security policy serves as the mechanism for clearly articulating your security goals to the entire team involved in developing, deploying, and using your web application, including management, business partners, and ultimately the end users of your site.

Details

Our experts have been developing security policies for Government and commercial customers for over thirteen years, and have a deep understanding of virtually all the applicable standards and laws. An application security policy developed by MUSINGWAY typically addresses issues such as:

• What are the different types of users of your site (roles)
• How do you identify and authenticate these users (authentication)
• What are you protecting on your site (assets)
• What rights do each of these users have to what is being protected (user rights)
• What functions can each type of user perform (allowed functions)
• How are you going to enforce these constraints on your users (access control)
• How are your users going to be managed (user management)
• Does your site have privacy, integrity, or non-repudiation concerns (other issues)
• Who is going to manage your site and how (site administration)
• How will your site securely interact with other entities (external connections)
• How does your site handle errors (error handling)
• How can you consistently design and build secure sites (coding practices)
• What evidence will your site collect to deter, detect, and document attack attempts (accountability and logging)
• What steps will you take to defend against denial of service attacks (denial of service)