Web application vulnerabilities account for the largest portion of attack vectors outside of malware. It is crucial that any web application be assessed for vulnerabilities and any vulnerabilities be remediated prior to production deployment.
The purpose of this policy is to define web application security assessments within Diocese of Paterson. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of the Diocese of Paterson services available both internally and externally as well as satisfy compliance with any relevant policies in place.
This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk managements, and change control of technologies in use at Diocese of Paterson. All web application security assessments will be performed by delegated security personnel either employed or contracted by Diocese of Paterson. All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of Diocese of Paterson is strictly prohibited unless approved by the Director of Technology.
Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.
None