Page 80 - GiGW3
P. 80
5. Guidelines
data loss of the organisations or users. (iv) Acces
The government organisation will ensure and monitor that the host (v) Crypto
(vi) Error
service provider and the developer adhere to the industry best (vii) Data
security practices and guidelines such as ISO 27001, OWASP ASVS, (viii) Com
OWASP Top 10 vulnerabilities and CIS benchmarks as per the (ix) Syste
(x) Datab
prevailing security policy. Following guidelines are to secure web
(xi) File
resources & associated infrastructure: (xii) Mem
(n) Implement logg
Statement: Website, web application, web portal or mobile app (o) Configure websi
(p) Sanitise user
have been Security Audited and an Audit Clearance certificate has a semantic approach.
been issued by NIC/ STQC/ STQC empanelled laboratory/CERT (q) The technology
-In empanelled laboratory before hosting in production client-side Active C
Cybersecurity 5.3 environment. strengths and weakness
(r) Disable the ro
(s) Use explic
P changes, destruction, or disruption is generally termed as Benefits: The goal of securing a website, web application, web portal or mobile app is to maintain environment value.
Protecting web resources from unauthorised use, access,
the confidentiality, integrity and availability of information and services. This goal is accomplished
B. Securing databa
through the implementation of best security practices in design, development and deployment.
used to store large am
“Website Security” or “Secured Website”.
Attacks could cause both personal embarrassment and financial risks.
Government organisation action: It should be ensured that the website, web application, web technical controls sho
The following are the
portal or mobile app don’t have any security risks as identified by the latest OWASP Top 10
Sometimes web resources become unavailable due to vulnerability list. The design and development agency or the developers should follow industry (a) Implement stro
denial-of-service attacks or display modified information on the best practices such as OWASP ASVS and OWASP MAVS. rest and transit.
(b) Implement stro
webpages. Millions of passwords, email addresses and credit card Developer action: Securing critical web resources is more important than ever as the focus of (c) Use secure cr
attackers has steadily moved towards the application layer and they are exploiting the weaknesses
details have been leaked into the public domain exposing web users administrative passwor
in the code.
to both personal embarrassment and financial risks. The purpose of (d) Utilise strong
(e) Disable unneces
Website Security is to prevent such risks. A. Securing Code service accounts.
Website Security requires vigilance in all aspects starting from (a) Ensure that all websites, web applications, web portals or mobile apps and their respective (f) Enable access
CMS, 3rd party plugins, codes, etc. are updated to the latest vers ions.
design, coding and implementation to testing and deployment. Note: Every day, there are countless websites/apps compromised due to outdated software. not be assigned public
Organisations should implement appropriate security majors, Potential hackers and bots are scanning websites/apps to attack. Updates are vital to the (g) TLS should be en
databases.
defences and countermeasures to protect web resources against health and security of the website/app. If the website’s software or applications are not (h) Create admin r
malfunctioning, phishing, cyber-crimes or cyberattacks to avoid up-to-date, the website/app is not secure. Take all software and plugin update requests database.
seriously. Updates often contain security enhancements and vulnerability repairs. Check the
(i) The applicatio
80
