This is the online version of TSS-WEB, a document that consists of exemplary content for a (mainly) technical security standard for web-based applications and services. It may be used as a template for a custom organization-specific security standard or just a collection of suggestions of baseline requirements for teams and projects. All requirements in this documents are based on common best practices (including those from OWASP and WASC of course) as well as our own experiences in this field.
We are constantly improving and extending this content to intragrate new developments, threats and best practices in it.
Note About English Translation
This is the first English translation of the original German document that has been worked on for a while in the community. This version may therefore consist of some translation “bugs” which is why it is still in DRAFT state.
Additional Security Content
You need additional security content for Confluence (can be integrated into MS SharePoint) such as threat intelligence or secure coding guidelines for Java EE, JSF, ASP.NET, Angular etc. with code snippets that you can customize to your own needs? Than have a look at our Security Content for Confluence offering.
The objective of TSS-WEB is to providing a framework for high-level application security requirements that can be adapted by organizations and used to map implementation-specific coding guidelines, e.g. for Web frameworks such as ASP.NET, JSF or PHP Symfony. Wikis such as Confluence are a great documentation tool for that.
Table of Contents
- 1. Introduction
- 2. Remediation of Vulnerabilities
- 3. Operational Requirements
- 4. Protection of Source and Program Code
- 5. Security within the Development Process
- 6. Security Tests
- 7. Supplier Requirements
- 8. Implementation Requirements
- Appendix A: Requirements for HTTP Security Header
- Appendix B: Common Vulnerabilities in Web Applications (OWASP Top Ten)
Feeback about this content is very much apreciated! Please send it via mail to tss-web (at) secodis.com.
There have been a number of content changes since v1.5 that haven't been released yet. They are highlighted using blue color and currently affect the following sections:
- updated Jul 31, 2018
- view change
- No labels