Thanks a lot. These documents are very helpful indeed.
frank
On 10/12/2018 06:07 PM, Dominic Schallert wrote:
Hi,
regarding TLS best practices, BSI TR-02102-2 (Version 2018-01) might be
a good starting point;
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf
(Unfortunately in German only)
NIST provides something similiar with SP 800-52 Rev. 2 (Draft);
https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft
Generally these kind of guidelines/documents tend to get outdated
very quickly as technology moves forward very fast.
Cheers
Dominic
Am 12.10.2018 um 08:23 schrieb Frank Thommen
<[email protected] <mailto:[email protected]>>:
Every one to two years seems fine to me as "consumer". Maybe with
emergency updates in-between when critical issues appear?
Ideally the website would announce, that the document is regularly
updated.
frank
On 11/10/18 22:05, Susan E. Sons wrote:
There are some corners of the guide that are out of date, but I haven't
yet found a better resource to point operators to if they aren't
familiar with these security concerns.
I'm constantly coming across problems caused by even the software
developers' "best practice" recommendations being completely wrong. For
example, several major CMSes advise that all executable parts of the CMS
be writable by the web server! Well-meaning admins follow these best
practices guides not knowing that they are making their installations
insecure by doing so.
If there were an effort to update the existing material, however, I
could probably chip in a small amount of effort from my staff at the
Center for Applied Cybersecurity Research to assist with those updates.
A new version every year or two may be the best we can do.
Susan
On 10/11/2018 01:14 PM, Frank Thommen wrote:
Hello,
recently someone asked, if this (bettercrypto?) project is dead. My
impression is, that it is at least extremely passive. Not being a
security and network protocol expert I nevertheless think that the
"Applied Crypto Hardening" paper of 2016
(https://bettercrypto.org/static/applied-crypto-hardening.pdf) is
probably very, very outdated and maybe even dangerous to rely on.
Questions:
a) Is there some kind of successor project/paper with up to date
copy-paste recommendations for good security settings as they
were published in this paper (which was fantastic at the time)?
b) could/should the paper of 2016 not better be removed from the
website?
Cheers
frank
_______________________________________________
Ach mailing list
[email protected] <mailto:[email protected]>
https://lists.cert.at/cgi-bin/mailman/listinfo/ach
_______________________________________________
Ach mailing list
[email protected] <mailto:[email protected]>
https://lists.cert.at/cgi-bin/mailman/listinfo/ach
_______________________________________________
Ach mailing list
[email protected]
https://lists.cert.at/cgi-bin/mailman/listinfo/ach
