This picture by Dustin Sacks shows the extreme measures one can take to feel secure.  It’s amusing that only one of the hundred or so locks actually anchors the bike to the bike rack.  Government web pages need to be secure, but currently there are many, many, different security practices—so many that it can be over-whelming.  Some are more important, while others are just cosmetic and provide only a false sense of security.  Some are not needed and may actually open the door to more attacks.  Over-zealousness may result in a situation like the bike pictured above.

Low Hanging Fruit

Why climb up the tree for an apple if you can reach the apple from the ground?  Removing the low hanging fruit for hackers needs to be first priority.  The OWASP Top 10 Risks represents the current low-hanging fruit.  If these risks are ignored, your site will be the first to get hacked.  For a development team the CWE/SANS Top 25 Most Dangerous Software Errors are more valuable and instructive.

Regular training has helped Partnet uncover and resolve vulnerabilities in DOD EMALL that was thought to be secure.  It has helped DOD EMALL  stay ahead.  Because of training with the OWASP top ten, Partnet added protection against CSRF attacks nearly a year before these protections were required by the Application Development and Security STIG in May.

Adding Depth

A government website cannot be content with simply removing the low-hanging fruit.  But with so many security activities, it’s hard to know what to focus on next.  For adding depth, the OpenSAMM (Software Assurance Maturity Model) project from OWASP provides that guidance.  It organizes many of the best security practices into a maturity model.  It organizes 12 general security practices into four business functions: Governance, Construction, Verification, […]