Skip to end of metadata
Go to start of metadata
  • If using a CDN as a reverse proxy (e.g. Akamai DSA), consider using its application attack prevention technology (e.g. Akamai's Web Application Firewall) to guard against XSS, SQL Injection, etc. These services can guard much more accurately and faster than servlets or filters in the application
  • Make sure that session hijacking attacks are guarded against, specifically attacks from Firesheep. Seehttp://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=228000481&cid=RSSfeed_IWK_All. Note: Firesheep only has 25 sites pre-configured. You can add custom sites though
  • Ensure that black box testing has been performed. IBM's AppScan is a good choice
  • Ensure that a manual security audit by a 3rd party firm specializing in security audits has been performed before launch. Quarterly audits are recommended following launch
  • If using a CDN as a reverse proxy (e.g. Akamai DSA), ensure that your origin (your production environment) is hidden from the public internet and only accepts traffic from your CDN
  • Verify that all unnecessary default logins have been disabled or deleted
  • Verify that a security scanner (something like Nessus) has been run. This will help guard against attacks from the inside and outside
  • Ensure that all unnecessary services (eg. FTP, SMTP, telnet, etc) have been removed. Only services that are core to the OS or application should be running Ensure that all patches/updates have been applied and thoroughly tested prior to launch
  • Run a port scanner against each box to ensure that no unnecessary ports are listening
  • Ensure that all logins (failures and successes) are logged, archived, and available for audit
  • Consider using LDAP or similar for access management
  • Be sure to perform an audit of all server logins. During development, accounts for developers and accounts for sys admins who leave are often forgotten about
  • Make sure your developers understand that production heap dumps should be treated the same as production database dumps. Heap dumps will contain credit card numbers and other personally identifiable information
  • No labels