- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Tue, 22 Jul 2008 09:50:43 -0400
- To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
- Message-ID: <4DE292A150B5CA48BDDA9658300E7538831C68@IMCSRV8.MITRE.ORG>
My experience is more in architecture of app servers than authoring of
code. Authoring code is one thing, code generated also has to land in
a secure architecture.
Some things to consider
1. section on the granting of entitlements and authorization to
use specific features functionality will least access granted. Includes
permission structure of web server and any databases or other
supporting app servers.
2. Separation of web app server from database services
3. Use / storage of identity attributes in a manner that supports
secure handling of privacy information
4. Testing to ensuring code handles all boundary conditions
5. Knowing the risk profile of the code to ensure patches are
applied as needed.
6. Logging / reporting services to ensure application is running
correctly
From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
Sent: Friday, July 18, 2008 2:12 PM
To: public-wsc-wg@w3.org
Subject: Anyone on WSC have any experience authoring a secure web site?
In the discussion of where to go next in the Secure Web Authoring Best
Practices draft:
http://www.w3.org/2006/WSC/drafts/wsc-content/
<http://www.w3.org/2006/WSC/drafts/wsc-content/>
We noted that, at least at that meeting, there were not a lot of
participants with actual experience authoring secure web sites.
http://www.w3.org/2008/07/09-wsc-minutes.html#item04
<http://www.w3.org/2008/07/09-wsc-minutes.html#item04>
Do any of you, WSC WG participants, have experience in authoring secure
web sites? We'd like to check in on best practices, or on common
mistakes.
Mez
Received on Tuesday, 22 July 2008 13:51:32 UTC