Website Security and Penetration Testing

Thanks again to Doug and Grant for taking time to brief us on current web security trends.  A few of our notes are below but check out their site Jacadis Web Security Firm to get all the details.


Ultra Basic Web Security Practices

  • Check out the OWASP standards for best practices on website security here OWASP
  • Adopt a minimum standard such as OWASP Top 10 or Top 20 and make sure all web developers follow those practices at a minimum
  • Have all staff that touch client software projects (Web developers, Mobile Application Developers, Data Base Architects, even Project Managers) read and sign off that they will commit to these standards
  • Have at least an annual (Quarterly is prefered) staff meeting to review changes in the industry
  • Run industry standard website penetration testing prior to launching a web application
  • Run the same industry standard web security software after major upgrades or if possible quarterly to ensure no new threats have been identified


More Advanced Strategies for Website Security

  • Create a basic brochure or document for all your clients that educates them on why they need to invest time and money in website security
  • Create tiered security levels and commit to following minimum standards for each tier
    • Tiers could be (Tier 1: No expose to the web or confidential information, Tier 3: HIPAA, COPPA, FERPA data stored)
  • Include based security standards such as an open source vulnerability test for all website and mobile applications you develop as a default practice for all your projects


Thanks again to the team at Jacadis for presenting at our event.