Medium
Automated Application Vulnerability Scanning
The (web-)application is subject to automated vulnerability scanning at least once per quarter. Scanning occurs authenticated as much as possible.
Automated Vulnerability Scanning
Network connected IT systems are subjected to automatic vulnerability scanning at least once per month. Scanning occurs authenticated where possible.
Coordinated Vulnerability Disclosure Policy
The organization has a published Coordinated Vulnerability Disclosure Policy to encourage security researchers and individuals to ethically find and report vulnerabilities.
Server and Application Infrastructure Not Shared
IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they share...
Service Hardening
Services run under their own account with minimal necessary privileges . Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls. All services...
Hardening Validation
IT systems have standard configurations that follow recommended hardening guidelines. Before new systems are taken into production, the systems are tested for adhering to the hardening guidelines. The standard images...
Baseline configuration
Document a security configuration baseline for the system based on current best practices from vendors and desired functionality. The baseline must be updated at least annually. Use this baseline for...
Malware Scanning
The system scans attachments, uploads and links for malware and filters content identified as harmful by these scans.
Mobile Applications
Description Mobile Applications use certificate pinning to prevent MitM attacks on apps and Open WiFi. Mobile applications have protections for the binaries that users can download. Mobile apps preferably store...
Configuration Files
Appropriate secrets management is applied to confidential information needed to develop and deliver the service. No hardcoded credentials and configurations are present in source code, only in separate configuration files...