Security Basics mailing list archives

RE: protecting web apps for governaments

From: Miguel Gracia <mgracia () grayhairsoftware com>
Date: Tue, 19 Jun 2012 17:28:01 +0000

I see your point and agree to it to some degree because It all depends on the type of data being protected. However, 
when protecting personal data (DOB, personal id numbers, name address, patient history etc)  technology costs should be 
the last item to worry about.

-mg 

-----Original Message-----
From: Rob [mailto:synja () synfulvisions com] 
Sent: Tuesday, June 19, 2012 1:23 PM
To: Miguel Gracia; listbounce () securityfocus com; marco cohen; security-basics () securityfocus com
Subject: Re: protecting web apps for governaments

I disagree.

When the cost of the security is significantly  higher than the value of the asset being protected, it's a bad thing; 
especially for a government agency using public funds.

That being said, you do have to consider the PR value of the system; defacing the website of a computer security firm 
is more damaging than doing the same to the website of a grocery store.

Rob

Sent on the Sprint(r) Now Network from my BlackBerry(r)

-----Original Message-----
From: Miguel Gracia <mgracia () grayhairsoftware com>
Sender: listbounce () securityfocus com
Date: Tue, 19 Jun 2012 16:58:24
To: marco cohen<marcocohen2 () gmail com>; security-basics () securityfocus com<security-basics () securityfocus com>
Subject: RE: protecting web apps for governaments

There is no such thing as too much protection. If the company feels comfortable with this and thus requests nothing 
less, then it is worth having. From a technical standpoint, it may be overkill but it may be a requirement depending on 
audits done on the company and/or web apps.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of marco cohen
Sent: Tuesday, June 19, 2012 11:23 AM
To: security-basics () securityfocus com
Subject: protecting web apps for governaments

HI all

Im doing a consulting for one of the governaments in europe.

the idea is to create a most secure segment in which we will locate all the web apps of the gov and to protect them 
from any attack. we will buy equipment like SIEM, HIDS IPS, Firewalls and WAF and prevention of DDOS attacks.
but additionaly to this I am working on policies to implement heardening of operation system of those servers.
I am considering also politices of code review (in this process algo input validation), and twice a year pentest to all 
the 200 web sites.
I am wondering if also doing code review for every change in the those web apps + pentest 2 time a year + WAF.

ISNT THAT TO MUCH FOR PROTECTING THE WEB SERVERS??

thanks a lot!

marco

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

protecting web apps for governaments marco cohen (Jun 19)
- RE: protecting web apps for governaments Miguel Gracia (Jun 19)
  - Re: protecting web apps for governaments Rob (Jun 19)
    - RE: protecting web apps for governaments Miguel Gracia (Jun 19)
    - Re: protecting web apps for governaments Rob (Jun 19)
    - RE: protecting web apps for governaments Miguel Gracia (Jun 19)
  - Re: protecting web apps for governaments Computer Sevice Teeuwen (Roy) (Jun 19)
  - RE: protecting web apps for governaments Dan Lynch (Jun 19)
    - Re: protecting web apps for governaments marco cohen (Jun 19)
    - Re: protecting web apps for governaments Shane Anglin (Jun 19)
    - Re: protecting web apps for governaments CATHRYN OLDS (Jun 20)
  - RE: protecting web apps for governaments Ward, Jon (Jun 19)
- RE: protecting web apps for governments Ward, Jon (Jun 19)
- Re: protecting web apps for governaments Vedantam Sekhar (Jun 20)