Hi, regarding TLS best practices, BSI TR-02102-2 (Version 2018-01) might be a good starting point; https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf <https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf> (Unfortunately in German only)
NIST provides something similiar with SP 800-52 Rev. 2 (Draft); https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft <https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft> Generally these kind of guidelines/documents tend to get outdated very quickly as technology moves forward very fast. Cheers Dominic > Am 12.10.2018 um 08:23 schrieb Frank Thommen <[email protected]>: > > Every one to two years seems fine to me as "consumer". Maybe with emergency > updates in-between when critical issues appear? > > Ideally the website would announce, that the document is regularly updated. > > frank > > > On 11/10/18 22:05, Susan E. Sons wrote: >> There are some corners of the guide that are out of date, but I haven't >> yet found a better resource to point operators to if they aren't >> familiar with these security concerns. >> I'm constantly coming across problems caused by even the software >> developers' "best practice" recommendations being completely wrong. For >> example, several major CMSes advise that all executable parts of the CMS >> be writable by the web server! Well-meaning admins follow these best >> practices guides not knowing that they are making their installations >> insecure by doing so. >> If there were an effort to update the existing material, however, I >> could probably chip in a small amount of effort from my staff at the >> Center for Applied Cybersecurity Research to assist with those updates. >> A new version every year or two may be the best we can do. >> Susan >> On 10/11/2018 01:14 PM, Frank Thommen wrote: >>> Hello, >>> >>> recently someone asked, if this (bettercrypto?) project is dead. My >>> impression is, that it is at least extremely passive. Not being a >>> security and network protocol expert I nevertheless think that the >>> "Applied Crypto Hardening" paper of 2016 >>> (https://bettercrypto.org/static/applied-crypto-hardening.pdf) is >>> probably very, very outdated and maybe even dangerous to rely on. >>> >>> Questions: >>> >>> a) Is there some kind of successor project/paper with up to date >>> copy-paste recommendations for good security settings as they >>> were published in this paper (which was fantastic at the time)? >>> >>> b) could/should the paper of 2016 not better be removed from the >>> website? >>> >>> >>> Cheers >>> frank >>> _______________________________________________ >>> Ach mailing list >>> [email protected] >>> https://lists.cert.at/cgi-bin/mailman/listinfo/ach > > _______________________________________________ > Ach mailing list > [email protected] > https://lists.cert.at/cgi-bin/mailman/listinfo/ach
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ach mailing list [email protected] https://lists.cert.at/cgi-bin/mailman/listinfo/ach
