Developer forum

Forum » CMS - Standard features » DW-compliance of OWASP

DW-compliance of OWASP

Jacob Bertelsen
Reply

Hi,

A customer has asked if DW complies with the OWASP top ten cheat sheet:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Any smarter heads than me, that know the answer to this? :)


Replies

 
Nicolai Pedersen
Reply

Hi Jacob

To some extend. We know the 'ruleset' and have in recent years implemented and changed a lot in Dynamicweb to follow the guidelines.

But a lot of the things in the guidelines are also related to the implementation, settings and hosting environment, so it really also depends on the implementation.
I.e. the templates can be inconsistent with these demands, you have to setup servervalidation of i.e. the cart, user password hashing is configurable (one setting is not compliant) etc.

In the Injection and XXS area we follow these guides and have also changed a lot of data access in recent years to become compliant.

Also, Dynamicweb is used by a number of banks that yearly has to scan for security - we also work with those security companies to ensure the application.

BR Nicolai

 
Jacob Bertelsen
Reply

Thanks for the answer :) .

I will get back, with details of clarifications, if any.

 
Jacob Bertelsen
Reply

Hi Nicolai,

The customer in question has gotten back to us, with a detailed scan report, regarding both OWASP and other things.
I would rather not share this information "publically" in the forum.
Can I send these reports and questions to you in a direct email, or should I go through suport@dynamicweb.dk?

 
Nicolai Pedersen
Reply

Hi Jacob

You are most welcome to mail it directly to me - thanks!

BR Nicolai

 

You must be logged in to post in the forum