HackDig : Dig high-quality web security articles for hacker

Web Application Rules in the .Trust Policy

2014-11-21 10:45

NCC Group has invested resources in developing and promoting the concept of a Top-Level Domain (TLD) where greater information assurance is provided — the .trust TLD. Note this service has nothing to do with the organisation TRUSTe mentioned yesterday.

Partial screen capture from a page on the NCC .Trust website that explains how .trust stands on three core principles: verify, secure and assure

The recently announced (October 2014) .trust technical policy defines five policy areas (abuse, DNS, email, network and web application), each with rules and sub-rules. Although .trust is not for me on this blog (nor by some parts of NCC that insist on using .guide and .com for information and resources, including the very confusing redirect URL https://trust.guide), it may gain commercial traction and I was interested to see how their policy mapped to other standards.

I have compared the web application policy rules with the OWASP Application Security Verification Standard (ASVS), OWASP Testing Guide (Testing), the OWASP Top Ten (T10) and the Payment Card Industry Data Security Standard (PCI DSS). This is from the perspective of the .trust technical policy, and a mapping does not mean "the same as".

.Trust Technical Policy Rule OWASP PCI SSC
ID Rule ASVS v2 Testing v4 T10 2013 PCI DSS v3
6.1 Serve Content Over HTTPS V10.1, V10.2, V10.3 CRYPST-001 A5, A6 6.5.4,
6.5.10
6.2 Provide an Appropriate HTTP Strict-Transport-Security Header V3.15 CONFIG-007 A5, A6 6.5.4
6.3 Provide an Appropriate HTTP Public-Key-Pins Header - - A5, A6 6.5.4
6.4 Provide an Appropriate Content Security Policy 1.0 HTTP Header - - A3, A5 -
6.5 Provide an Appropriate X-Frame-Options HTTP Header V11.10 CLIENT-009 A5 -
6.6 Provide an Appropriate X-Content-Type-Options HTTP Header - - A5 -
6.7 Provide an Appropriate X-XSS-Protection HTTP Header - - A3, A5 -
6.8 Restrictions on the Use of JavaScript V5.16 CLIENT-002 A3 -
6.9 Do Not Serve Web Applications Containing Cross-Site Scripting Vulnerabilities V5.5, V5.16 INPVAL-001, INPVAL-002, CLIENT-001, CLIENT-002, CLIENT-003, CLIENT-004, CLIENT-005 A3 6.5.7
6.10 Must Not Serve Web Applications Containing Cross-Site Request Forgery Vulnerabilities V4.16 BUSLOGIC-002 A8 6.5.9
6.11 Must Not Serve Web Applications containing SQL Injection Vulnerabilities V5.10 INPVAL-005 A1 6.5.1
6.12 Must Not Serve Web Applications Containing HTTP Header Injection Vulnerabilities - INPVAL-016 A1 6.5.1
6.13 Do Not Serve Web Applications Containing Shell Command or Process Injection Vulnerabilities V5.12 INPVAL-013 A1 6.5.1
6.14 Do Not Serve Web Applications Containing Code Execution Vulnerabilities V5.1 INPVAL-014, INPVAL-012 - 6.5.2
6.15 Do Not Serve Web Applications Containing LDAP Injection Vulnerabilities V5.11 INPVAL-006 A1 6.5.1
6.16 Do Not Serve Web Applications Containing Directory Traversal Vulnerabilities V16.2 AUTHZ-001 - -
6.17 Do Not Serve Web Applications Containing XML Injection Vulnerabilities - INPVAL-008 A1 6.5.1
6.18 Do Not Serve Web Applications Containing XPATH Injection Vulnerabilities - INPVAL-010 A1 6.5.1
6.19 Do Not Serve Web Applications Containing XML Entity Expansion Vulnerabilities V5.13/14 - - -
6.20 Must Not Serve Web Applications Containing Open Redirects V16.1 CLIENT-004 A10 -
6.21 Do Not Serve Web Application Content from User Home Directories - - A5 6.5.8
6.22 Do Not Serve Web Application Directory Index Pages V4.5 - A5 6.5.5
6.23 Serve an Appropriate crossdomain.xml File With all Web Applications V16.10 CONFIG-008 A5 -
6.24 Serve an Appropriate clientaccesspolicy.xml File With all Web Applications V16.10 CONFIG-008 A5 -
6.25 Protect Application Cookies V3.12, V3.14, V3.15 SESS-002,
SESS-0024
A2 6.5.10
6.26 Perform Adequate Authentication of Users and Accounts V2.2, V2.7, V2.13, V2.17, V2.18, V2.20 AUTHN-002, AUTHN-003, AUTHN-004, AUTHN-005, AUTHN-006, AUTHN-007, AUTHN-008, AUTHN-009, AUTHN-010 A2, A6 6.5.3,
6.5.8,
6.5.10
6.27 Perform Adequate Authorization of Functions and Access to Data V4.1, V4.3 AUTHZ-002, AUTHZ-003, AUTHZ-004 A4, A7 6.5.8
6.28 Use Strong Session Identifiers V3.6, V3.7, V3.8, V3.11 SESS-003,
SESS-004
A2 6.5.10
6.29 Provide a Maximum Inactivity Timeout V3.3 SESS-007 A2 6.5.10
6.30 Host User-Generated Content From a Separate Domain - - A5 -

So considerable overlap, but there are unique testing in each of the above.

The seven rules in the .trust Abuse Policy are also relevant for hosted content such as what is linked to, what is redirected to, avoidance of obfuscation, and the types of files hosted, especially aspects that might be considered malware.


Source: yciloP-tsurT-toD-eht-ni-seluR-noitacilppA-beW/12/11/4102/ku.rellewdnekrelc.www

Read:1812 | Comments:0 | Tags:technical

“Web Application Rules in the .Trust Policy”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud