DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

Forums
Search Forums

Advanced Search Topics Posts

OWASP security check

Forums > Administration and Configuration

Sort:

You are not authorized to post a reply.

Author

Messages

Willem

Advanced Member

Posts:159

12/10/2020 4:43 AM

How to tell your customers your website is save and secure? You can use OWASP

I found this page on the DNN website: https://www.dnnsoftware.c...st-owasp-top-10-2013

Does someone have a more recent version or where can I find this?

KenT

Growing Member

Posts:72

12/10/2020 5:21 AM

OWASP is an open community set of definitions. https://owasp.org/www-pro...test/2-Introduction/
I would strongly recommend not just quoting from an older community document, it may not be accurate and if something gets hacked later might leave you open to allegations of fraudulent misrepresentation.
They form part of a 'security questionnaire' you can provide to your customer. Forgive me if I am teaching granny here. These are most often independently 'assured' by an external tester. Usually as part of an ISO27001 ISMS scheme. You can self certify once you have done the checklist, though its not ideal.
As a solution, I suggest you ask your hosting provider about their ISO27001 and other compliance as the start point. You 'off-set' compliance to them. Also ask them if they have penetration testing at the hardware level. Then you point out the DNN has unique built-in security testing, and together, they give a high level of assurance though not a full penetration test (these are costly at about £3k a go)! Hope this helps, can provide a questionnaire if you want one?

Michael Tobisch

Veteran Member

Posts:1124
Veteran Member

12/10/2020 6:32 AM

Willem,

I use the following (amongst other steps):

securityheaders.io - for the web site
Qualys Test - for the whole server

Use certificates, and force HTTPS. Read Why EVERY site should be secured by HTTPS.

Read and follow 7 Tips to Protect your DNN Website from Ransomware.

Read and follow Tip 1: Never put Web-Files on Drive C - Harden DNN against Ransomware Attacks and future articles from this series.

To secure your database I recommend to read and follow this article: Secure your DNN database by some simple steps.

You should never ever open a port on your web server that is not needed - esp. do not allow anyone (and if they are the best tech-persons amongst your clients and really know what do do) to access the SQL Server from their computers. Get rid of FTP (except you can use SFTP - and don't confuse it with FTPS).

There are companies that do security audits. They have employed hackers who know where to look. If your customers really want to be save, they should take money into their hands and engage them.

And: stay up to date. Windows XP Service Pack 3 was secure when it was deployed.

Happy DNNing!
Michael

Michael Tobisch
DNN★MVP

You are not authorized to post a reply.

These Forums are dedicated to the discussion of DNN Platform.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy.
No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
No Flaming or Trolling.
No Profanity, Racism, or Prejudice.
Site Moderators have the final word on approving / removing a thread or post or comment.
English language posting only, please.

Would you like to help us?

Awesome! Simply post in the forums using the link below and we'll get you started.

Get Involved