Line 3: |
Line 3: |
| ===Website Security=== | | ===Website Security=== |
| To protect GC electronic networks, devices and information, the following is a non-exhaustive list of security considerations that can be implemented in a layered manner to support a defence-in-depth approach for web services and minimize opportunities for cyber attacks: | | To protect GC electronic networks, devices and information, the following is a non-exhaustive list of security considerations that can be implemented in a layered manner to support a defence-in-depth approach for web services and minimize opportunities for cyber attacks: |
− | | + | <br> |
| * Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software. | | * Deploy modern operating systems (OS) and applications that are maintained with supported, up-to-date, and tested versions of software. |
| * Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied. | | * Actively manage software vulnerabilities, including fixing known vulnerabilities quickly following a timely patch maintenance policy for OS and applications, and taking other mitigating steps, where patches can’t be applied. |
Line 12: |
Line 12: |
| * Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access. | | * Use strong authentication mechanisms (for example, multi-factor authentication) where possible to protect from unauthorized access. |
| * Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Open Web Application Security * Project (OWASP) Top 10]. | | * Design web services so that they are protected from common security vulnerabilities such as SQL injection and others described in widely-used publications such as the [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Open Web Application Security * Project (OWASP) Top 10]. |
− |
| |
| For more information on best practices, refer to [https://www.cse-cst.gc.ca/en/group-groupe/its-advice-and-guidance Communications Security Establishment’s (CSE’s) IT security advice and guidance]. | | For more information on best practices, refer to [https://www.cse-cst.gc.ca/en/group-groupe/its-advice-and-guidance Communications Security Establishment’s (CSE’s) IT security advice and guidance]. |
| <br><br> | | <br><br> |
| '''Additional Guidance:''' [https://www.us-cert.gov/ncas/tips/ST18-006 Website Security | US-CERT] | | '''Additional Guidance:''' [https://www.us-cert.gov/ncas/tips/ST18-006 Website Security | US-CERT] |
| + | <br><br> |
| | | |
| ===HTTP/2=== | | ===HTTP/2=== |
Line 27: |
Line 27: |
| * [https://http2.github.io/faq/ HTTP/2 Working Group FAQ] | | * [https://http2.github.io/faq/ HTTP/2 Working Group FAQ] |
| * [https://tools.ietf.org/html/rfc7540 RFC 7540], the final spec | | * [https://tools.ietf.org/html/rfc7540 RFC 7540], the final spec |
| + | <br> |
| | | |
| ===Next Steps: TLS 1.3=== | | ===Next Steps: TLS 1.3=== |