With the development of the Internet in Morocco, public administrations increasingly seek to establish an online presence through websites or web applications offering services to citizens or third parties. However, vulnerabilities in these web applications have become the most significant vector for attacks on the information systems of these administrations. According to various reports published this year by observatories and cybersecurity companies, web attacks are continuously increasing. The consequences can be severe for the affected administrations:

•  Damage to the administration's image,
•  Defacement of the site to relay political messages (hacktivism), to denigrate or to claim responsibility for an attack,
•  Compromising the integrity of the information system,
•  Exfiltration of sensitive data and information.

Therefore, we can no longer tolerate even the simplest issues, such as those presented in the OWASP Top 10, which are primarily due to insecure development and deployment. Thus, implementing methods and tools to manage the development and quality control of applications is more necessary than ever to reduce their vulnerability.

In this context, this guide aims to help information system security managers by presenting security rules to be followed during the various phases of an application’s lifecycle to better secure their web applications.

This document is organized into four parts:

•  The first part presents basic recommendations to be followed, including security clauses to be integrated into the special specifications and training;
•  The second part is dedicated to best practices to avoid the most well-known vulnerabilities in web application development;
•  The third part focuses on best practices during the deployment and production of a web application. It also explains the process of incident detection and the steps to take in case an incident occurs.