09 May, 2007

How to stomp out XSS and SQL injection at your company

Faced with a Cross Site Scripting and SQL injection problem the following compliance based info security process .should be implemented

After long intense thought and some discussion with colleagues, and in keeping with the successful SOX attestation control program I think the obvious solution is as follows.

Send a mail to all employees stating that for information security purposes it is a policy to remove the following keys from all company keyboards.
< >

Keys should be removed promptly and kept in a locked cabinet on the second floor. Only three people may have access to this cabinet.

If it is necessary to use one of these key it is possible to gain temporary access to them by filling out the appropriate Emergency Access Request ticket. Within 1 hour A temporary combination to the cabinet will be mailed to you and a log entry will be made so that any injected code can be traced back to the person that has the access at the time of the injection.

You can then retrieve the keys and use them for up to one day. (at your own risk)

For individuals that have need to use these keys on a regular basis it is possible to file for a SOX attestation exception so that you can be given access to a keyboard in a locked room when needed.

Yep I think this will match the spirit and effectiveness of most SOX Compliance processes perfectly.


No comments: