Secure Development and Hosting
Websites must be available, reliable and secure. It is, therefore, very important that Bayer takes all necessary steps to ensure the security and integrity of information being distributed on websites. This means that:
The website cannot be “hacked” and its content or data compromised by third parties.
Visitors to a website are not at risk simply by visiting it.
Business interests are not compromised by unreliable hosting.
Websites must be developed by Certified Development Agencies. Websites must either be hosted on Bayer's own infrastructure or with one of the approved hosting providers.
When working with an external partner either for developing or hosting a website then you must ensure that the agency or provider agrees at least to the following:
Hosting complies with the Bayer IT security standards and data protection policies
Implement both a service level and a maintenance agreement corresponding to business needs
Carry out a risk analysis and provide a plan for risk minimization
Bayer retains all rights to the information hosted by the company
Allow website security scans to be performed by Bayer
Every Bayer website must have a named technical contact, the “webmaster”, responsible for ensuring development, who can coordinate with the security officers to facilitate security scans or in the event of a threat.
Approved hosting providers
The Procurement Department maintains a list of approved hosting providers. All such providers have signed general contracts ensuring that the services they provide meet Bayer's requirements for secure hosting. Using an approved hosting provider is generally quicker and cheaper than with a non-approved provider, because the necessary checks have already taken place. However, any website that is not hosted on Bayer’s own infrastructure will require an exception as detailed above.
Content Delivery Network
A content delivery network (CDN) consists of lots and lots of external web servers around the world which cache web site content. The CDN adds several layers of security to our websites:
- The network itself shields Bayer websites from DDoS (denial of service) attacks.
- Websites hosted on a standard content management system have an additional layer of protection called "Site Shield". This ensures that only Akamai servers talk to Bayer’s servers and vice versa. Direct attacks on the Bayer servers themselves are thus not possible.
- A managed service team runs a Web Application Firewall (WAF) in close collaboration with the Bayer security teams (CCDC). The firewall offers additional defence against web application attacks like:
- Malicious file execution, where hackers exploit an application vulnerability to remote file inclusion in order to enter hostile data and code.
- SQL injection, where web applications and databases are overwhelmed or infiltrated by bogus database queries.
- Cross site scripting (XSS), where attackers use vulnerabilities to execute scripts with the user’s credentials.
- Non-HTTP/HTTPS attacks