Building and maintaining web applications and websites requires careful attention to configuration, development and maintenance. The Internet is unforgiving of security vulnerabilities in each of these areas, and compromised web sites are a threat to the network environment.
The Johns Hopkins ICSC has approved as a technology standard a detailed questionnaire/checklist for those looking to develop or host websites and applications. The checklist is meant to help people building or planning to build a web presence consider risks and good practices. It is a total life-cycle approach specific to Hopkins and our relatively open web environment. It is not simply a series of technical security controls like you might see in OWASP, it is a management guide for web strategies in an increasingly hostile world.
For more technical security discussions, we strongly recommend the OWASP resources, specifically the estimable Top 10, proactive controls, and mobile development. For those looking to develop, mobile applications, Hopkins has guidance under development, and you should contact firstname.lastname@example.org.
Web Development Lifecycle
The security checklist goes into greater detail regarding requirements and practices, yet we can mention some of the highlights.
- Should the website be developed and hosting by IT@JH, or similarly sophisticated departmental IT? In most cases, professionally developed and hosted IT will be the best option for creating and maintaining a site.
- Does the site have appropriate governance and management commitment to ensure that it meets development standards and can be maintained over the long term?
- Is the web server configured and maintained according to Hopkins standards? Is it tested using Hopkins vulnerability tools, such as Tenable Security Center?
- Secure code development can be difficult, and it requires good architecture, solid coding practices and continuous testing. Hopkins uses several tools (e.g. Netsparker, burpsuite) for testing sites. You should coordinate testing with your server administration and development teams, and check with email@example.com.
- While setting up a website can be fun and exciting, on-going monitoring and maintenance are, from a security perspective more critical than initial development. One of the reasons we strongly recommend managed web services is that server and web site monitoring are complex IT topics. Maintenance, including rapid patching, requires careful attention and strong business processes.
- Site content management -- one of the more common security problems is that users can post potentially sensitive information or that the larger web world can often post malicious content. Part of the governance strategy is ensuring that the site includes only what is necessary to meet your business, communications or technical requirements.
Web application security is challenging and requires constant vigilance, we therefore strongly urge that you consult with your Hopkins IT experts to create strategies that can be maintained over the long term. For any questions on web security, please contact firstname.lastname@example.org.