Page 82 - GiGW3
P. 82

5. Guidelines









 data loss of the organisations or users.  website/app  for  updates  or  add  an  update  notification  plugin.  Some  platforms  allow                                      (iv)    Access Control                                                                                                                        (j)     Turn on node checking to verify applications and users.

 The government organisation will ensure and monitor that the host   automatic updates, which is another option to ensure website/app security. Longer the wait              (v)    Cryptographic Practices                                                                                                                (k)    Turn  off  all  unnecessary  database  functionality  (e.g.,  unnecessary  stored  procedures  or
                   to  update,  lesser  the  secure.  Keeping  the  website/app  up-to-date  and  its  components                                                            (vi)    Error Handling & Logging                                                                                                              services, utility packages, install only the minimum set of features and options required (surface
 service provider and the developer adhere to the industry best   should be on top priority.                                                                                 (vii)    Data Protection                                                                                                                      area reduction)

 security practices and guidelines such as ISO 27001, OWASP ASVS,   (b)     All passwords, connection strings, tokens, keys, etc.  should be encrypted with salted hash.            (viii)    Communication Security                                                                                                       (l)      Enforce  a  strict  access  control  policy  and  introduce  role-based  access  control  (RBAC)

 OWASP  Top  10  vulnerabilities  and  CIS  benchmarks  as  per  the   There should not be any plain passwords stored in config files or source code or in a database.             (ix)    System Configuration                                                                                                               privileges.
             (c)     All exceptions should be handled appropriately. Custom error pages should be displayed for                                                               (x)    Database Security                                                                                                                     (m)   Enable audit trail logs on the database servers.
 prevailing security policy. Following guidelines are to secure web
             any errors/exceptions. At no point of time, a portion of source code should be displayed on the                                                                  (xi)    File Management                                                                                                                      (n)    Ensure appropriate logging and monitoring of database logs.
 resources & associated infrastructure:  page in case of an error or exception.                                                                                               (xii)    Memory Management                                                                                                                   (o)    Consider fine grained record/row level auditing based on the sensitivity of data.

             (d)     HTTP Response Headers should be obscured.                                                                                                      (n)     Implement logging functionality and periodically auditing the web logs for suspicious activity.                                                (p)    Implement a backup solution to store data and system configurations from the website, web

 Statement: Website, web application, web portal or mobile app   (e)     Cookies should be secure and HTTP only.                                                    (o)     Configure website, web application or web portal caching to optimize resource availability.                                                     application or web portal that should be backed up periodically.
             (f)     Configure captcha for login pages.                                                                                                              (p)     Sanitise user input at both the client end and the server end with both syntactical as well as                                                       Note: One of the best methods to keep a website/app safe is to have a good backup solution
 have been Security Audited and an Audit Clearance certificate has   (g)     Directory traversal should be disabled. In case of any specific attempt by a user to access a   a semantic approach.                                                                                                                                  and the user should have more than one data backup. Each of these two backups is crucial to

 been issued by NIC/ STQC/ STQC empanelled laboratory/CERT  portion of the code by typing the URL path (ex: www.xxx.gov.in/js/custom.js) then the same should       (q)     The technology to be implemented should be chosen after careful consideration. Various                                                               recovering  a  website  after  a  major  security  incident  occurs.  There  are  several  different

 -In empanelled laboratory before hosting in production   be redirected to a custom error page.                                                                     client-side  Active  Content  Technologies  are  available  e.g.,  Java  scripts  etc.  Each  has  its  own                                                  solutions one can use to help recover damaged or lost files. Keep the website information
             (h)     All default user names and IIS/Apache pages (like admin, default.aspx, index.aspx, etc.) should                                                strengths and weaknesses along with an associated risk.                                                                                                      off-site. Do not store the backups on the same server as of the website; they are as vulnerable
 environment.
             be renamed. The access URL for the admin panel/CMS, should also be renamed.                                                                            (r)     Disable the root user access to run the code on Linux/Unix hosts.                                                                                    to attacks too. Choose to keep the website backup on a home computer or hard drive. Find
             (i)     The Web Server processes should not be running under Administrator or Root user Account. A                                                     (s)        Use  explicit  path  names  when  invoking  external  programs  and  not  rely  on  the  PATH                                                     an off-site place to store the data and to protect it from hardware failures, hacks and viruses.
 Benefits: The goal of securing a website, web application, web portal or mobile app is to maintain
 Protecting  web  resources  from unauthorised  use, access,   dedicated User account with limited privileges should be used for the Web Server Processes.          environment value.                                                                                                                                           Another option is to back up the website in the cloud. It makes storing data easy and allows
 the confidentiality, integrity and availability of information and services. This goal is accomplished
 changes, destruction, or disruption is generally termed as   through the implementation of best security practices in design, development and deployment.   Note: Not every webmaster knows which web server they use. Use a website scanner like Site Check   B.     Securing databases: Database being the core of any application and/or organisation and is   access to information from anywhere. Besides choosing where to back up the website, one
             to check the website for known malware, viruses, blacklisting status, website errors and more. The
                                                                                                                                                                    used to store large amounts of highly sensitive and personal information. Therefore, appropriate
                                                                                                                                                                                                                                                                                                                                 must consider automating them. Use a solution where one can schedule the website/app
 “Website Security” or “Secured Website”.   Attacks could cause both personal embarrassment and financial risks.  more one knows about the current state of website security, it’s better as it gives time to fix the   technical controls should be in place to safeguard the databases and information stored in them.           backups. It has to be ensured that the solution has a reliable recovery system. Be redundant
 Government organisation action: It should be ensured that the website, web application, web
             issues before any harm comes to it.                                                                                                                    The following are the guidelines for securing databases:                                                                                                     in the backup process — backup the backups. By doing this, one can recover files from any
 portal  or  mobile  app  don’t  have  any  security  risks  as  identified  by  the  latest  OWASP  Top  10
 Sometimes  web  resources  become  unavailable  due  to  vulnerability list. The design and development agency or the developers should follow industry   (j)     If the web or mobile app is integrated with any 3rd party Applications or using any APIs for   (a)     Implement strong encryption and key management mechanism for the information both at   point before the hack or virus occurs.

 denial-of-service  attacks  or  display  modified  information  on  the   best practices such as OWASP ASVS and OWASP MAVS.  external communication, then ensure that all such communications are done through encrypted   rest and transit.                                                                               (q)    Keep the backup media file in safe custody and access to it should be restricted and logged.

             channels.
                                                                                                                                                                                                                                                                                                                           (r)    Conduct periodic auditing of Web Application - at least once in a year or as and when any
                                                                                                                                                                    (b)     Implement strong hashing and salting algorithms to store passwords in the database.
 webpages. Millions of passwords, email addresses and credit card   Developer action: Securing critical web resources is more important than ever as the focus of   (k)     Enforce strong password management policy, secure password recovery mechanisms and   (c)    Use  secure  credentials  for  database  access.  Remove  or  change  all  default  database   changes are done in the source code, whichever is earlier.
 attackers has steadily moved towards the application layer and they are exploiting the weaknesses
 details have been leaked into the public domain exposing web users   multi-factor authentication (MFA) for user login to website, web application or web portal    administrative passwords.                                                                                                                              (s)        Report  any  web  application-related  security  incidents  observed  to  NIC-CERT  &  CERT-In
 in the code.  infrastructure.
 to both personal embarrassment and financial risks. The purpose of                                                                                                  (d)     Utilise strong passwords//phrases or implement multi-factor authentication.                                                                    immediately at Incident Response Helpdesk:
             (l)     Implement role-based access control and minimal privilege policy for users as per need from                                                    (e)    Disable unnecessary accounts such as orphaned accounts, unused accounts, generic and                                                                       NIC-CERT: incident@nic-cert.nic.in
 Website Security is to prevent such risks.  A. Securing Code  the system.                                                                                          service accounts.                                                                                                                                                 CERT-In: incident@cert-in.org.in

 Website Security requires vigilance in all aspects starting from   (a)     Ensure that all websites, web applications, web portals or mobile apps and their respective   (m)     Establish the secure coding practices document based on leading practices such as OWASP   (f)     Enable access to the database only from the Web Server on a whitelisted port and it should              Toll free phone: CERT-In - +91-1800-11-4949
 CMS, 3rd party plugins, codes, etc.  are updated to the latest vers ions.
 design,  coding  and  implementation  to  testing  and  deployment.    Note: Every day, there are countless websites/apps compromised due to outdated software.   for code development. Below is an indicative checklist that can be considered for secure code   not be assigned publicly accessible IP.                 Evaluator action: The evaluator shall check that the website/ web application/ web portal/ mobile

 Organisations should implement appropriate security majors,   Potential hackers and bots are scanning websites/apps to attack. Updates are vital to the   development:  (g)   TLS should be enabled in databases for secure communications between web servers and                                                        app under evaluation has a valid security audit certificate issued by NIC/STQC/STQC empanelled
                       (i)     Input Validation                                                                                                                     databases.                                                                                                                                             laboratory/ Cert-IN empanelled laboratory fulfilling Cert-IN requirements.
 defences and countermeasures to protect web resources against    health  and  security  of  the  website/app.  If  the  website’s  software  or  applications  are  not            (ii)     Authentication & Password Management  (h)     Create admin restrictions, such as by controlling privileged access on what users can do in a

 malfunctioning, phishing, cyber-crimes or cyberattacks to avoid   up-to-date, the website/app is not secure. Take all software and plugin update requests             (iii)     Session Management  database.
  seriously. Updates often contain security enhancements and vulnerability repairs. Check the
                                                                                                                                                                    (i)     The application should use the lowest possible level of privilege when accessing the database.
                                                             82
   77   78   79   80   81   82   83   84   85   86   87