Austria’s E-Economy – Basic organizational and technical requirements for increasing ICT security in the energy industry
The document describes essential information security requirements for the procurement and operation of ICT components and systems used for power supply monitoring and control. The guideline serves as a checklist for project managers, asset or system managers, information security officers and management in the energy supplier or manufacturing sector. The recommendations of this guide include all essential security measures needed in procurement, project management, operation and within the organization. As vulnerabilities in Web applications are quite common, general security recommendations, for example, according to the recommendations of the Open Web Application Security Project (OWASP) or the ÖNORM A-7700 “Information Processing – Security Requirements for Web Applications”, should be taken into account during the development of Web applications.
Federal Ministry of the Interior and Agriculture, Forestry and Water Management Rechenzentrum GmbH – Best Practice Standard Portal 2.0
Presentation on security in software development and operation of an Identity and Access Management solution, presented at the eGovernment Conference 2014, 3.-4.6.2014, Eisenstadt.
Federal Association of Energy and Water Management – Implementation notes for the application of the BDEW Whitepaper
In 2008, the German BDEW Federal Association for Energy and Water Management published the “Requirements for Safe Control and Telecommunication Systems” document detailing the basic security measures of control and telecommunication systems for process control in energy supply. The BDEW whitepaper is aiming at protecting the systems in the standard configuration against security threats in daily operation. The Austrian Energy and BDEW jointly elaborated the present Best Practice Paper with instructions for the implementation on the basis of aforementioned whitepaper. Web application security requirements should consider and implement both generally accepted security recommendations and notes such as those detailed in the Open Web Application Security Project (OWASP) or the ÖNORM A-7700 “Information Processing – Security Requirements for Web Applications”.
BSI Guide to the Development of Secure Web Applications
Today’s applications are mostly developed for the Web. Security-specific stipulations about conception, implementation, and operation are usually not complete at the time of the call for tenders. More often than not, these are developed during the project itself. As a result, Web applications are repeatedly subject to vulnerabilities that can be exploited in various attacks.
The “BSI-Leitfaden zur Entwicklung sicherer Webanwendungen” (A guide to the development of secure Web applications), published by the BSI in cooperation with SEC Consult, can significantly improve the level of IT security in the federal administration and beyond. It consists of reliable guidelines for secure development and a structured approach to testing and acceptance of the software. This guide serves as an excellent tool for IT managers and project managers working for public institutions or within this industry. Said guide can be used to prepare contract documents or to define performance and acceptance criteria, thus supporting the whole process of project awarding.
The study is divided into two parts: the first defines requirements for the contractor while the second presents a guideline on how to test compliance with these requirements.
Austrian Information Security Manual (Version 2.3, April 2007)
The ONR 17700 standard (precursor to the ÖNORM A 7700) is listed as one of the important standards for information security and IT security (Appendix A5, page 323).
KES – 2007/4 Edition: SOA Security with the ONR 17700
The ON 17700 standard defines clear guidelines for the secure development and quality of Web applications. The framework can also be applied to the Web services of a service-oriented architecture (SOA) and their certification. This article describes how certification in the SOA environment works.
BSI Standard for Internet Security (ISi Series) – Secure Provisioning of Web Services (ISi Webserver)
The “BSI-Standard zur Internet-Sicherheit (ISi-Reihe)” (The BSI Internet Security Standards Standard (ISi Series)) is designed to provide government agencies and businesses with comprehensive and up-to-date information so they can develop, extend or rebuild their Internet activities as independently as possible. The “Secure provision of Web services” (ISi Webserver) of the BSI standard details both the essential threats and security recommendations to securely provide Web services. Many of the measures are derived directly from the ÖNORM A 7700 standard.
Secure 2008 – Secure BSI-based applications
Thomas Kerbl (SEC Consult) and Cornelia Strobel (Federal Office for Information Security, BSI) delivered a presentation on “Secure applications based on BSI” at the Secure 2008 conference in Bad Homburg. They presented the new BSI study on the ISi series “Secure provisioning of Web services”, developed jointly with SEC Consult as well as the ONR 17700 standard (the first EU-wide recognized standard for Web application security) among other general security topics.