Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Generally speaking.
How do a project manager evaluate and track the security issue for a project? Or is there any online resource that I can use as a reference ?
I would say that you would track this like everything else you track on your project.
Make sure that there is an architecture and project requirement review -- go though all aspect of the architecture and design and document any issues and questions as you go along. Depending on your application, it may include securing external communication and communication between different parts of the application, and understand any possibilities for malicious user input. If your application store any data, review what data is stored, and ask "what would happen if the data was lost or leaked". Understand how all sensitive data store is encrypted, and make sure that user passwords are never stored (store a oneway hash instead). Review how/if any encryption keys can be rotated, so that loss/leak of key does not mean compromise of security.
Document all issues and questions found in your favorite bug tracking and task management tool, even if just as reminder to get back and inspect actual implementation.
I think you add them as 'risks' or 'tasks' in your ALM system, depending on which phase you are current in with respect to your project.
How to evaluate security issues is usually deferred first to Devs or IT Profs depending on the nature and then reported back to the PM for review.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I am new to web development, and particularly for the back end, I was wondering what are the first basic precautions should be implemented to ensure cybersecurity to avoid any exploits which could leak user data or credential for example.
First of all make sure you are following the CIA model:
Confidentiality: Refers to access control of information to ensure that those who should not have access are kept out. This can be done with passwords, usernames, and other access control components.
Integrity: Ensures that the information end-users receive is accurate and unaltered by anyone other than the site owner. This is often done with encryption, such as Secure Socket Layer (SSL) certificates which ensure that data in transit is encrypted.
Availability: Ensures information can be accessed when needed.
Some other tips would be :
Use SSL certificate.
Take precautions when accepting file uploads through your site.(Incase if you have)
Use CSP (To prevent against Cross-site scripting)
Set permissions that controls who can read, write, and execute any given file or folder of your website.
Limit Login Attempts and temporarily lock out IP Addresses that make several failed attempts to get inside.
Keep scripts up-to-date.
Maintain multilayer security and keep backup.
And please take care of your Database, how you create and link it.
Lastly, show the beta version of your website to someone with good experience to look for any loopholes before your website goes live.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
This question is not related to code or any bug. I have an organisation related query. I am a front end developer. I consume web API's developed by the back end developers in my company. The problem here is, they share it via postman. API's are segregated project wise in folders. Problem is, the nomenclature of the API as well as the functionality differs. This creates lot of confusion for me while consuming API's. secondly, There is no indication that whether the API is deployed on a server or not. So sometimes, I end up writing the code and realize that the specific API is not deployed yet.
My question is, how does the world do it? How is the communication between developers established with this specific domain? How can one overcome this problem?
I hope i interpret your question correctly:
One of the methods used in the industry is scrum (specifically daily stand ups) where you talk about the work you intend to perform that day. This will give the back-end guys an opportunity to tell you its not yet ready. It really depends on the culture in the company. Why are they writing endpoints not yet deployed, and if not deployed, how difficult is it for you to make them deploy them?
Another way is DevOps which many think of as scrum for the entire value chain.
These methologies are however not something you can dictate, but they arose because of the problem you are refering to.
In practice: You should probably ask to get another folder called "SafeToUse" or "ReadyForConsumption" in Postman and in this way you can clearly see whats on its way and whats ready.
I hope this answers your question. I can't recommend anything more specific not knowing the kind of work you perform - normally in my experience the front- and backend for a given project is developed with close communication.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Beginning PowerShell and looking at the automatic tasks that can be run as Admin.
Are there security risks in automating tasks? How can I resolve these issues? Is there a way to script more security before the task is run?
I have been looking for hours trying to find an answer and nothing has come up for database risks, only for PHP and website issues. But what about the active directory or communicating with the servers? Or just simple things like looking for free disk space? Do those pose a security threat to the network?
The topic of securing an OS is huge and really off-topic on SO. I recommend you to get a basic course material like, say, CompTIA Security+ or the like. Learn the basic principles and concepts first, then focus on technology specific issues.
That being said, the most obvious security hole with scripted operations is invalid permissions. Consider that the admin script is in a directory that allows write access to non-admin users. Oops, immediate backdoor. Can you figure out why?
Even read access is dangerous. Maybe the admin script has stored credentials in plain-text or serialized on disk? Oops, another a security hole.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I was under the impression that MediaWiki is due to its nature as "open for all Wiki platform" not tailored towards managing sensitive information.
I found some warnings about this on the MediaWiki FAQ and some user account extensions as:
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
Now a consultant of my boss tells him there is no problem with sensitive information at all. I would like to hear if he is right and I worry too much.
I suppose all problems would go away if we would use separate instances of MediaWiki for every user group with the same rights.
Think about the risks here:
What sort of data are you planning on populating it with? If it is personal data such as salary, home address or medical data, or if it is credit card data then you may be required to protect it appropriately (in the US see HIPAA, Gramm-Leech-Bliley, SoX and state data protection legislation; in the UK see DPA 1988, FSA regs; in Japan JSoX; Globally PCI-DSS)
Aside from those regulations (and a whole lot of others globally) how would your business cope if the data was deleted, or published on the Internet, or modified, or corrupted?
The answers should help you define an 'appropriate' level of protection, which should then be explained along with the possible risks to the board, who should then make the decision as to whether it should go in.
(tweak the above based on company size, country etc)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I have taken over a large project at work that requires a lot of TLC to get it into a manageable state. The whys and hows of this situation don't really matter at this point.
I was thinking I could use some of the concepts of IT Service Management to rein in this project. It has no coding standards, no change management, no issue tracking, and no build process to speak of. Everything is done by hand in Explorer with issues added to a Word document as the help desk receives them.
What kind of formal process would you use to address this situation?
Have you considered ITIL? It has a formalized structure for some of the areas that you’re dealing with, such as application management, change management, and incident management. It’s a formal process with supporting documentation and certifications.