Security Operation Procedures

These are the guidelines for the three basic roles in any web project to prepare for the case of a security issue.


Publisher
People behind the MWPSK

WebMaster
People who deploy the MWPSK to a hoster (use MWPSK for a production website) - setup and maintain the content over time.

Developer
People who extend or modify the code of MWPSK


These roles actually apply for many web applications - not just for those based on MWPSK.


Standard operation procedures

WebMaster

  • Change 'admin' password as a first action after deployment
  • Do subscribe the MWPSK news feed. This is the way to receive a notification in case of a security issue
  • Don't store sensitive information on a website in a shared hosting environment
    • e.g. personal data of other people
    • e.g. health information
    • e.g. credit card information
  • Evaluate whether a shared hosting infrastructure is safe enough for your purpose
  • Evaluate whether unencrypted communication is reasonable (e.g. usernames, passwords) or if you need SSL? Most hosters offer SSL for shared hosting accounts. (Is shared hosting the right approach if you think you need SSL?)
  • Backup your data on a regular base -> Download content of folder /App_Data
  • Assign clear responsibilities for maintenance of your homepage
    • Who receives security issue notifications? (Subscribes the MWPSK news feed)
    • Who does regular backup?

Developer

  • Do not modify the way passwords are hashed. As described in the security briefs
  • Do not extend the software in a way, which encourages to store sensitive information. Shared hosting environments may not offer sufficient protection for sensitive information.
    • e.g. do add a feature to manage credit card information
  • Consider security best practices when extending/modifying the kit
  • Make sure you have subscribed MWPSK news feed in order to receive a notification in case of a security issue
  • Keep track on the people for whom you have changed/extended/deployed MWPSK
    • You may forward a notification to them if a security issue appears
  • Make sure you always have a copy of your source code in an archive of all versions, which are deployed
    • You may need to test/integrate changes based on security fixes in the future

Publisher

  • Monitor the discussion forum
  • Monitor other online communities
  • Maintain a service level agreement with the vendor, which guarantees a response time in case of a security issue




Emergency operation procedures

Severity levels

Objectives
In case of an emergency we want to give clear guidance to developers and webmasters what to do and how urgent their own action is

Level definitions
  • Low risk
    • Customers should download and deploy fix (can take a few days)
  • High risk
    • You should carefully consider what is on risk
      • e.g. indruder can modify your website without beeing authorized to do so
      • e.g. intruder can stop your website
      • e.g. intruder can access information without proper authentication
    • You might take the site offline until fix is deployed
    • Fix should be deployed as soon as possible. Updates would be published through the MWPSK news feed.

WebMaster

  1. Receive security notification through MWPSK news feed
  2. Backup your data -> Download content of folder /App_Data
  3. Evaluate severity of the issue
  4. Download the fix (new version) and deploy it
  5. Test your website

Developer

  1. Receive security notification through MWPSK news feed
  2. Evaluate severity and what it means for 'your modified version' of MWPSK
  3. Download the fix and test it with you own extensions/modifications
  4. Approach the WebMasters for whom you have created solutions based on MWPSK
  5. Recommend appropriate advice to the webmaster(s) who are using 'your modified version' of the MWPSK

Publisher

  1. Evaluate and define the severity level
  2. Publish notification about the issue through MWPSK news feed
  3. Prepare a solution/fix and describe an update scenario
  4. Publish the fix
  5. Publish a notification on the RSS feed




Last edited Nov 9, 2006 at 3:08 PM by ursmueller, version 2

Comments

No comments yet.