1

I'm developing a web based application. I want to create it so that it could be adopted by teams within corporations and large organisations that have tight IS standards.

The initial organisations targeted are not in specifically regulated industries, but will need to adhere to regional data protection and usage regulations.

What are the factors I need to plan for?

AviD
  • 72,138
  • 22
  • 136
  • 218
Boz
  • 595
  • 1
  • 4
  • 8
  • 3
    Can you let us know what industries and countries you are targeting, as regulated industries first aim is to meet regs (eg Financial Services: SOx; Healthcare: GLB, HIPAA etc) – Rory Alsop Feb 20 '12 at 15:10
  • We currently work within Sky and BP. The web based app would initially be used by teams within these kinds of global businesses. – Boz Feb 21 '12 at 10:22
  • 1
    Updated the question to include that - it will help folks provide relevant answers – Rory Alsop Feb 21 '12 at 11:03
  • Make sure that the policies arising from your effort are enforceable ones. – jl01 Feb 21 '12 at 18:50

3 Answers3

3

I think the question is too general to expect a specific answer. So I will answer it with a general answer. In general OWASP is a good source for web application security especially their Development Guide.

ceving
  • 462
  • 2
  • 7
3

First, make whatever you can pluggable. Loose-coupling, good form, all that jazz that's all over programmers.stackexchange.com. That way if somebody wants to change out username / password for domain auth, you can sell it as an easy feature. Similarly with changing logging from text files to syslog to databases.

  • Authentication and Authorization
  • Logging

... and that's about it. Keep unauthorized users out and limit authorized users to their roles, log behavior, and maintain integrity (application specific, but basically be careful of irreversible changes). Everything in an audit really boils down to those behaviors. Code with the idea that you'll log everything and use configuration to turn off things you don't want. Create permissions with roles and focus on the business logic of what users might do.

Can UserA see cost pricing? Can they set sales pricing? Ask a lot of questions of yourself like that. If your application is flexible and comprehensive in those areas I mentioned, you'll be able to meet most any standard out there.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
2

My recommendation - regardless of industry and regualtions - think about protecting your brand. Regardless of Industry. Use good common sense security around data handling. PCI and FISMA have technical controls around web applications and of course OWASP. Generally - you should introduce web applications testing on your coding work bench prior to your 1st launch of your web service and test again prior to any new code push. Also the concept of the Web Application Firewall is important for the security architecture of the app while in production. WhiteHat security provides some real time testing of the application working in conjunction with the Application firewall to update any finding with the virtual "patch" concept as well.

SecurityCrunch
  • 116
  • 2