GUIDELINES ON SECURING PUBLIC WEB SERVERS [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>02b] [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>06a] [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>06b] [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>06c] [<str<strong>on</strong>g>NIST</str<strong>on</strong>g>07] John Wack et al., <str<strong>on</strong>g>NIST</str<strong>on</strong>g> Special <strong>Public</strong>ati<strong>on</strong> <str<strong>on</strong>g>800</str<strong>on</strong>g>-42, Guideline <strong>on</strong> Network Security Testing, February 2002, http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/index.html Marianne Swans<strong>on</strong> et al., <str<strong>on</strong>g>NIST</str<strong>on</strong>g> Special <strong>Public</strong>ati<strong>on</strong> <str<strong>on</strong>g>800</str<strong>on</strong>g>-18 Revisi<strong>on</strong> 1, Guide for Developing Security Plans for Federal Informati<strong>on</strong> Systems, February 2006, http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/index.html Karen Kent and Murugiah Souppaya, <str<strong>on</strong>g>NIST</str<strong>on</strong>g> Special <strong>Public</strong>ati<strong>on</strong> <str<strong>on</strong>g>800</str<strong>on</strong>g>-92, Guide to Computer Security Log Management, April 2006, http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/index.html Miles Tracy et al., <str<strong>on</strong>g>NIST</str<strong>on</strong>g> Special <strong>Public</strong>ati<strong>on</strong> <str<strong>on</strong>g>800</str<strong>on</strong>g>-45, <str<strong>on</strong>g>Versi<strong>on</strong></str<strong>on</strong>g> 2, <str<strong>on</strong>g>Guidelines</str<strong>on</strong>g> <strong>on</strong> Electr<strong>on</strong>ic Mail Security, February 2007, http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/index.html Karen Scarf<strong>on</strong>e and Peter Mell, <str<strong>on</strong>g>NIST</str<strong>on</strong>g> Special <strong>Public</strong>ati<strong>on</strong> <str<strong>on</strong>g>800</str<strong>on</strong>g>-94, Guide to Intrusi<strong>on</strong> Detecti<strong>on</strong> and Preventi<strong>on</strong> Systems (IDPS), February 2007, http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/index.html [NVD06] Nati<strong>on</strong>al Vulnerability Database, CVE-2005-0233, September 2006, http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-0233 [Ollm04] [Ollm05] Gunter Ollman, The Phishing Guide: Understanding and Preventing Phishing Attacks, NGSSoftware, September 2004, http://www.nextgenss.com/papers/NISR-WP- Phishing.pdf Gunter Ollman, The Pharming Guide: Understanding and Preventing DNS-Related Attacks by Phishers, NGSSoftware, August 2005, http://www.nextgenss.com/papers/ThePharmingGuide.pdf [OMB00a] Office of Management and Budget Memorandum 2000-13, 2000, http://www.whitehouse.gov/omb/memoranda/m00-13.html [OMB00b] Office of Management and Budget Cookie Clarificati<strong>on</strong> Letter 1, 2000, http://www.whitehouse.gov/omb/inforeg/cookies_letter72<str<strong>on</strong>g>800</str<strong>on</strong>g>.html [OMB00c] Office of Management and Budget Cookie Clarificati<strong>on</strong> Letter 2, 2000, http://www.whitehouse.gov/omb/inforeg/cookies_letter90500.html [OWASP06] Open <strong>Web</strong> Applicati<strong>on</strong> Security Project (OWASP), OWASP Guide, March 2006, http://owasp.cvs.sourceforge.net/*checkout*/owasp/guide/current%20draft.pdf [RSA00] PKCS #10 <str<strong>on</strong>g>Versi<strong>on</strong></str<strong>on</strong>g> 1.7, Certificati<strong>on</strong> Request Syntax Standard, May 26, 2000, ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-10/pkcs-10v1_7.pdf [Salt75] Jerome H. Saltzer and Michael Schroeder, “The Protecti<strong>on</strong> of Informati<strong>on</strong> in Computer Systems,” Proceedings of the IEEE, Vol. 63, pages 1278–1308 [Scam01] Joel Scambray et al., Hacking Exposed Sec<strong>on</strong>d Editi<strong>on</strong>, McGraw-Hill, 2001 [Schn00] Bruce Schneier, Secrets & Lies: Digital Security in a Networked World, John Wiley & S<strong>on</strong>s Inc., 2000 D-2
GUIDELINES ON SECURING PUBLIC WEB SERVERS [SPID06] SPI Dynamics, AJAX Security Dangers, 2006, http://www.spidynamics.com/assets/documents/AJAXdangers.pdf [SSL98] Introducti<strong>on</strong> to SSL, Netscape Communicati<strong>on</strong>, Netscape Corporati<strong>on</strong>, 1998, http://docs.sun.com/source/816-6156-10/c<strong>on</strong>tents.htm [Unsp06] Unspam Technologies, How to Avoid Being Harvested by Spambots, http://www.projecth<strong>on</strong>eypot.org/how_to_avoid_spambots.php [Whit06] James A. Whittaker, “How to Think About Security,” IEEE Security & Privacy, Vol. 4, Issue 2, Mar–Apr 2006, pages 68–71 [WWW01] [Ziri02] The World Wide <strong>Web</strong> Security FAQ, September 2001, http://www.w3.org/Security/Faq/ Neal Ziring, <strong>Web</strong> Server Executi<strong>on</strong>: System and Security Issues, presented to Informati<strong>on</strong> Assurance Technical Framework Forum, March 1, 2002 D-3