asp(应用服务提供商)的安全标准
来源:互联网 发布:vue.js 小程序 编辑:程序博客网 时间:2024/06/05 09:21
These Standards are subject to additions and changes without warning by InfoSec.
This document can be provided to ASPs that are either being considered for use by <Company
InfoSec is looking for explicitly detailed, technical responses to the following statements and questions. ASPs should format their responses directly beneath the Standards (b oth questions and requirements) listed below. In addition, please include any security whitepapers, technical documents, or policies that you may have.
Answers to each Guideline should be specific and avoid generalities, e.g.:
Bad: "We have hardened our hosts against attack."
Good: "We have applied all security patches for Windows 2000 as of 8/31/2000 to our servers. Our Administrator is tasked with keeping up -to-date on current vulnerabilities that may affect our environment, and our pol icy is to apply new patches during our maintenance period (2300hrs, Saturday) every week. Critical updates are implemented within 24 hours. A complete list of applied patches is available to <Company Name>."
Bad: "We use encryption."
Good: "All communications between our site and <Company Name> will be protected by IPSec ESP Tunnel mode using 168 -bit TripleDES encryption, SHA -1 authentication. We exchange authentication material via either out -of-band shared secret, or PKI certificates."
1. <Company Name> reserves the right to periodically audit the <Company Name> application infrastructure to ensure compliance with the ASP Policy and these Standards. Non -intrusive network audits (basic
2. The ASP must provide a proposed architecture document that includes a full network diagram of the <Company Name> Application Environment, illustrating the relationship between the Environment and any other relevant networks, with a full data flowchart that details where <Company Name> data resides, the applications that manipulate it, and the security thereof.
3. The ASP must b e able to immediately disable all or part of the functionality of the application should a security issue be identified.
1. The equipment hosting the application for <Company Name> must be located in a physically secure facility, whi ch requires badge access at a minimum.
2. The infrastructure (hosts, network equipment, etc.) hosting the <Company Name> application must be located in a locked cage -type environment.
3. <Company Name> shall have final say on who is authorized to enter a ny locked physical environment, as well as access the <Company Name> Application Infrastructure.
4. The ASP must disclose who amongst their personnel will have access to the environment hosting the application for <Company Name>.
5. <Company Name>'s Corp orate Asset Protection team requires that the ASP disclose their ASP background check procedures and results prior to InfoSec granting approval for use of an ASP.
1.
2. How will data go between <Company Name> and the ASP? Keep in mind the following two things:
a. If <C ompany Name> will be connecting to the ASP via a private circuit (such as frame relay, etc.), then that circuit must terminate on the <Company Name> extranet, and the operation of that circuit will come under the procedures and policies that govern the <Co mpany Name> Partner Network Management Group.
b. If, on the other hand, the data between <Company Name> and the ASP will go over a public network such as the Internet, appropriate firewalling technology must be deployed by the ASP, and the traffic between <C ompany Name> and the ASP must be protected and authenticated by cryptographic technology (See Cryptography below).
1. The ASP must disclose how and to what extent the hosts (Unix, NT, etc.) comprising the <Company Name> application infr astructure have been hardened against attack. If the ASP has hardening documentation for the CAI, provide that as well.
2. The ASP must provide a listing of current patches on hosts, including host OS patches, web servers, databases, and any other materi al application.
3.
4. The ASP must disclose their processes for mon itoring the integrity and availability of those hosts.
5. The ASP must provide information on their password policy for the <Company Name> application infrastructure, including minimum password length, password generation guidelines, and how often passwor ds are changed.
6. <Company Name> cannot provide internal usernames/passwords for account generation, as the company is not comfortable with internal passwords being in the hands of third parties. With that restriction, how will the ASP authenticate user s? (e.g., LDAP, Netegrity, Client certificates.)
7. The ASP must provide information on the account generation, maintenance and termination process, for both maintenance as well as user accounts. Include information as to how an account is created, how account information is transmitted back to the user, and how accounts are terminated when no longer needed.
1.
2. Please disclose whether, and where, the application uses Java, Javascript, ActiveX, PHP or ASP (active server page) technology.
3. What language is the application back -end ,
written in? (C Perl, Python, VBScript, etc.)
4. Please describe the ASP process for doing security Quality Assurance testing for the application. For example, testing of authentication, authorization, and accounting functions, as well as any other activity designed to validate the security architecture.
5. Has the ASP done web code review, including CGI, Java, etc, for the explicit purposes of finding and remediating security vulnerabilities? If so, who did the review, what were the results, and what remediation activity has taken place? If not, when is such an activity planned?
1. The <Company Name> application infrastructure cannot utilize any "homegrown" –
cryptography any
symmetric, asymmetric or hashing algorithm utilized by the <Company Name> ap plication infrastructure
must utilize algorithms that have been published and evaluated by the general cryptographic community.
2. Encryption algorithms must be of sufficient strength to equate to 168 -bit TripleDES.
3. Preferred hashing functions are SHA-1 and MD -5.
4. Connections to the ASP utilizing the Internet must be protected using any of the following cryptographic technologies: IPSec, SSL, SSH/SCP, PGP.
5. If the <Company Name> application infrastructure requires PKI, please contact <Company
- asp(应用服务提供商)的安全标准
- 中国领先的互联网应用服务提供商宏达通信
- 浅谈计算机系统的安全标准
- 安全标准
- e-learning的提供商
- 电子标签的提供商
- 揭开 Java 安全标准的神秘面纱
- 目前国际上存在的主要安全标准
- 美国的有线电视节目提供商
- 各个地图提供商的坐标系
- C#的GIS应用服务系统
- 关于删除tomcat的应用服务
- 基于docker的应用服务部署
- 电子产品网店网页模板——新网-顶级域名注册与互联网基础应用服务提供商
- 手机可以做门票!用电子邮件向手机发二维条码的ASP应用服务亮相日本
- 揭开Java 安全标准的神秘面纱-java基础
- JPA 2.0的两个类型安全标准API提议
- 基于功能安全标准IEC61508的嵌入式设计流程
- 我是菜鸟
- 标准sql与t_sql中通配符有什么不同
- TextArea相关操作
- [cxGrid] use OnAfterSummary
- ClientDataSet get data through Application Server
- asp(应用服务提供商)的安全标准
- 我的第一个blog
- 在JavaScript中实现命名空间
- 80后的程序员!
- ASP连接ACCESS数据库 4种方法
- 想收集一下名人名言。谢谢各位啦
- [MIDAS basic] BeforeUpdateRecord_SetproviderFlag
- filter源代码例子
- POJ 2665 Trees