DW-compliance of OWASP

Jacob Bertelsen

Posted on 02/02/2017 16:03:18

Hi,

A customer has asked if DW complies with the OWASP top ten cheat sheet:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Any smarter heads than me, that know the answer to this? :)

Replies

Nicolai Pedersen

Posted on 02/02/2017 16:30:20

Hi Jacob

To some extend. We know the 'ruleset' and have in recent years implemented and changed a lot in Dynamicweb to follow the guidelines.

But a lot of the things in the guidelines are also related to the implementation, settings and hosting environment, so it really also depends on the implementation.
I.e. the templates can be inconsistent with these demands, you have to setup servervalidation of i.e. the cart, user password hashing is configurable (one setting is not compliant) etc.

In the Injection and XXS area we follow these guides and have also changed a lot of data access in recent years to become compliant.

Also, Dynamicweb is used by a number of banks that yearly has to scan for security - we also work with those security companies to ensure the application.

BR Nicolai

Jacob Bertelsen

Posted on 08/02/2017 12:45:12

Thanks for the answer :) .

I will get back, with details of clarifications, if any.

Jacob Bertelsen

Posted on 21/06/2017 13:56:44

Hi Nicolai,

The customer in question has gotten back to us, with a detailed scan report, regarding both OWASP and other things.
I would rather not share this information "publically" in the forum.
Can I send these reports and questions to you in a direct email, or should I go through suport@dynamicweb.dk?

Nicolai Pedersen

Posted on 21/06/2017 15:12:04

Hi Jacob

You are most welcome to mail it directly to me - thanks!

BR Nicolai

You must be logged in to post in the forum

Developer forum

DW-compliance of OWASP

Replies