Web Security Map / Basisbeveiliging.nl

Web Security Map creates geographical maps that, in one image, show how well layers the Dutch government and other public institutions are adhering to well known security standards and practices. Security of these governments are graded using the colours of a traffic light. For example: imagine a map of your country with all municipalities, in the three traffic light colours.

The solution is deployed publicly. This allows everyone to see what the current state of security is. It is aimed specifically at non-IT knowledgeable people: the common citizen and C-level managers. This is intentional, as they are the driving force for creating a budget to solve security issues. Citizens, in the end, are the ones negatively impacted when there is a lack of security.

The project goes naming and shaming: it continuously re-measures the current state of security and stores all measurements over time. An improved security posture will thus be reflected publicly in a matter of days. We call this "faming", taken from the word "Fame".

Every metric that is performed is published, which means there is a careful tradeoff on what to measure and what to display. For this various ethical guidelines have been set up in order to only support security and not cause damage. There are currently over 130 different metrics in the solution covering well known security practices such as correct domain ownership, physical location (and jurisdiction) of web and mail servers, preventing login portal exposure, anti spoofing for e-mail, security.txt, secure sites over https, dnssec, privacy, version number exposure and many more.

Everyone can see these metrics, which are accompanied by documentation and a second opinion test link.

The solution has many other views on the gathered data. For example a chart of what organisations are performing the best or the worst. It shows trend lines over time, it shows month-by-month comparison over each metric showing improvement (or degradation) and so on.

The transparency that the solution has generated resulted in fixing well over 20.000 security issues and probably many more indirectly. In the Netherlands these initiatives measure about 50.000 internet domains such as rijksoverheid.nl.