Page 81 - GiGW3
P. 81

5. Guidelines









             data loss of the organisations or users.                                                                                                                                                                                                                                                                               (iv)    Access Control                                                                                                                        (j)     Turn on node c

             The government organisation will ensure and monitor that the host                                                                                                                                                                                                                                                      (v)    Cryptographic Practices                                                                                                                (k)    Turn  off  all
                                                                                                                                                                                                                                                                                                                                    (vi)    Error Handling & Logging                                                                                                              services, utility pack
             service provider and the developer adhere to the industry best                                                                                                                                                                                                                                                         (vii)    Data Protection                                                                                                                      area reduction)

             security practices and guidelines such as ISO 27001, OWASP ASVS,                                                                                                                                                                                                                                                       (viii)    Communication Security                                                                                                              (l)      Enforce  a  s

             OWASP  Top  10  vulnerabilities  and  CIS  benchmarks  as  per  the                                                                                                                                                                                                                                                    (ix)    System Configuration                                                                                                                   privileges.
                                                                                                                                                                                                                                                                                                                                     (x)    Database Security                                                                                                                     (m)   Enable audit tra
             prevailing security policy. Following guidelines are to secure web
                                                                                                                                                                                                                                                                                                                                     (xi)    File Management                                                                                                                      (n)    Ensure appropri
             resources & associated infrastructure:                                                                                                                                                                                                                                                                                  (xii)    Memory Management                                                                                                                   (o)    Consider fine gr

                                                                                                                                                                                                                                                                                                                           (n)     Implement logging functionality and periodically auditing the web logs for suspicious activity.                                                (p)    Implement a bac

             Statement: Website, web application, web portal or mobile app                                                                                                                                                                                                                                                 (o)     Configure website, web application or web portal caching to optimize resource availability.                                                     application or web por
                                                                                                                                                                                                                                                                                                                           (p)     Sanitise user input at both the client end and the server end with both syntactical as well as                                                       Note: One of the
             have been Security Audited and an Audit Clearance certificate has                                                                                                                                                                                                                                              a semantic approach.                                                                                                                                         and the user sho
             been issued by NIC/ STQC/ STQC empanelled laboratory/CERT                                                                                                                                                                                                                                                     (q)     The technology to be implemented should be chosen after careful consideration. Various                                                               recovering  a  w

             -In empanelled laboratory before hosting in production                                                                                                                                                                                                                                                        client-side  Active  Content  Technologies  are  available  e.g.,  Java  scripts  etc.  Each  has  its  own                                                  solutions one ca

             environment.                                                                               5.3.1                                                                                                                                                                                                              strengths and weaknesses along with an associated risk.                                                                                                      off-site. Do not
                                                                                                                                                                                                                                                                                                                           (r)     Disable the root user access to run the code on Linux/Unix hosts.                                                                                    to attacks too.
                                                                                                                                                                                                                                                                                                                           (s)        Use  explicit  path  names  when  invoking  external  programs  and  not  rely  on  the  PATH                                                     an off-site plac
             Benefits: The goal of securing a website, web application, web portal or mobile app is to maintain
 Protecting  web  resources  from unauthorised  use, access,                                                                                                                                                                                                                                                               environment value.                                                                                                                                           Another option i
             the confidentiality, integrity and availability of information and services. This goal is accomplished
 changes, destruction, or disruption is generally termed as   through the implementation of best security practices in design, development and deployment.                                                                                                                                                                 B.     Securing databases: Database being the core of any application and/or organisation and is                                                             access to inform
                                                                                                                                                                                                                                                                                                                           used to store large amounts of highly sensitive and personal information. Therefore, appropriate
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        must consider au
 “Website Security” or “Secured Website”.   Attacks could cause both personal embarrassment and financial risks.                                                                                                                                                                                                            technical controls should be in place to safeguard the databases and information stored in them.                                                             backups. It has
             Government organisation action: It should be ensured that the website, web application, web
                                                                                                                                                                                                                                                                                                                           The following are the guidelines for securing databases:                                                                                                     in the backup pr
             portal  or  mobile  app  don’t  have  any  security  risks  as  identified  by  the  latest  OWASP  Top  10
 Sometimes  web  resources  become  unavailable  due  to  vulnerability list. The design and development agency or the developers should follow industry                                                                                                                                                                   (a)     Implement strong encryption and key management mechanism for the information both at                                                                 point before the

 denial-of-service  attacks  or  display  modified  information  on  the   best practices such as OWASP ASVS and OWASP MAVS.                                                                                                                                                                                                rest and transit.                                                                                                                                      (q)    Keep the backup
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  (r)    Conduct periodi
                                                                                                                                                                                                                                                                                                                           (b)     Implement strong hashing and salting algorithms to store passwords in the database.
 webpages. Millions of passwords, email addresses and credit card   Developer action: Securing critical web resources is more important than ever as the focus of                                                                                                                                                          (c)    Use  secure  credentials  for  database  access.  Remove  or  change  all  default  database                                                    changes are done in th
             attackers has steadily moved towards the application layer and they are exploiting the weaknesses
 details have been leaked into the public domain exposing web users                                                                                                                                                                                                                                                        administrative passwords.                                                                                                                              (s)        Report  any
             in the code.
 to both personal embarrassment and financial risks. The purpose of                                                                                                                                                                                                                                                         (d)     Utilise strong passwords//phrases or implement multi-factor authentication.                                                                    immediately at Inciden
                                                                                                                                                                                                                                                                                                                           (e)    Disable unnecessary accounts such as orphaned accounts, unused accounts, generic and                                                                       NIC-CERT: i
 Website Security is to prevent such risks.  A. Securing Code                                                                                                                                                                                                                                                              service accounts.                                                                                                                                                 CERT-In: in

 Website Security requires vigilance in all aspects starting from   (a)     Ensure that all websites, web applications, web portals or mobile apps and their respective                                                                                                                                                    (f)     Enable access to the database only from the Web Server on a whitelisted port and it should                                                                Toll free p
             CMS, 3rd party plugins, codes, etc.  are updated to the latest vers ions.
 design,  coding  and  implementation  to  testing  and  deployment.    Note: Every day, there are countless websites/apps compromised due to outdated software.                                                                                                                                                           not be assigned publicly accessible IP.                                                                                                                Evaluator action: The

 Organisations should implement appropriate security majors,   Potential hackers and bots are scanning websites/apps to attack. Updates are vital to the                                                                                                                                                                   (g)   TLS should be enabled in databases for secure communications between web servers and                                                             app under evaluation h
                                                                                                                                                                                                                                                                                                                           databases.                                                                                                                                             laboratory/ Cert-IN em
 defences and countermeasures to protect web resources against    health  and  security  of  the  website/app.  If  the  website’s  software  or  applications  are  not                                                                                                                                                   (h)     Create admin restrictions, such as by controlling privileged access on what users can do in a

 malfunctioning, phishing, cyber-crimes or cyberattacks to avoid   up-to-date, the website/app is not secure. Take all software and plugin update requests                                                                                                                                                                 database.
                    seriously. Updates often contain security enhancements and vulnerability repairs. Check the
                                                                                                                                                                                                                                                                                                                           (i)     The application should use the lowest possible level of privilege when accessing the database.
                                                             81
   76   77   78   79   80   81   82   83   84   85   86