政府機關過去在規劃建置資通系統時，常因人力、時間、成本的考量，而採委外開發方式辦理；因此，在2019年正式實施之資通安全管理法及其子法中，針對各機關辦理資通系統建置委外，選任及監督受託者時應注意事項有一定的要求，而這些要求要如何納入委外需求中呢？另外對於有意願成為受託者之系統開發業者亦有著一定的影響，該如何強化自身資通安全管理措施，以及對資通系統該如何符合委外要求，是一個值得深入探究的課題。
本研究以資通安全管理法及其子法有關Web應用系統安全要求，並參考最新國際機構對於應用系統資訊安全控制措施之實作建議，針對行政院資通安全處公告之「WEB網站建置與個人資料管理維運RFP」所訂Web應用程式安全控制措施，提出精進與調整建議，並請資安專家協助確認。本研究成果可作為政府機關辦理Web應用系統委外開發時訂定資安需求之指引，並可作為系統開發業者於系統開發流程納入資安要求之參考，共同提升Web應用程式安全。

Due to the considerations of manpower, time and cost, the government usually outsourced the development of its information and communication systems in the past. The Cyber Security Management Act officially released in 2019 had new requirements on selecting and monitoring the outsourcing companies of information and communication system developing projects. That how to put these requirements into the document of request for proposal (RFP) is a problem for the information technology (IT) sectors of government. Relatively, these new requirements have also a considerable effect on system development companies’ willingness to be a business partner; therefore, the topics of how to strengthen IT security management and further to meet the information security requirements of their delivered systems for those outsourced companies are worth deeply investigating.
This study examines the security requirements of web applications in Cyber Security Management Act, and makes recommendations based on the latest information security controls of international institutes. This study also makes some suggestions on the enhancement and adjustment of “Web Application Security Control Measures” in “Website Building and Personal Data Management and Maintenance RFP” promulgated by Department of Cyber Security in Executive Yuan. The proposed suggestions were also confirmed by information security experts in this study. This research can be used as references or guidelines for government agencies to make the security requirements in outsourcing projects of Web application systems. It can also serve as the security requirement references for system developers to improve the security of the delivered web applications.

參考文獻
中文文獻
王玉民（1994）。社會科學研究方法原理。台北市：洪葉文化事業有限公司，147頁。
王宣智、李樹民（2009）。政府資訊委外之檢討與建議。科技發展政策報導，第1期，18-29頁。
行政院（2018）。資通安全管理法。
行政院主計總處（2008）。政府機關「資訊系統委外開發」概況調查報告。
行政院國家資通安全會報（2014）。103年度安全控制措施參考指引。行政院國家資通安全會報技術服務中心。http://download.nccst.nat.gov.tw/attachfilecomm/103%E5%B9%B4%E5%AE%89%E5%85%A8%E6%8E%A7%E5%88%B6%E6%8E%AA%E6%96%BD%E5%8F%83%E8%80%83%E6%8C%87%E5%BC%95(%E4%BF%AE%E8%A8%82)(V2.0)_1041029.rar
行政院國家資通安全會報（2018）。106年度WEB應用程式安全參考指引。行政院國家資通安全會報技術服務中心。http://download.nccst.nat.gov.tw/attachfilecomm/106%E5%B9%B4Web%E6%87%89%E7%94%A8%E7%A8%8B%E5%BC%8F%E5%AE%89%E5%85%A8%E5%8F%83%E8%80%83%E6%8C%87%E5%BC%95.rar
行政院資通安全處（2015）。資訊系統分級與資安防護基準作業規定。行政院國家資通安全會報。https://nicst.ey.gov.tw/Page/7CBD7E79D558D47C/acdef7ac-a760-4bf2-8229-b052261fb806
行政院資通安全處（2018）。資通安全管理法施行細則。
行政院資通安全處（2018）。資通安全責任等級分級辦法。
行政院資通安全處（2019）。107年度政府資訊作業委外安全參考指引修訂報告。行政院國家資通安全會報技術服務中心。http://download.nccst.nat.gov.tw/attachfilecomm/107%E5%B9%B4%E6%94%BF%E5%BA%9C%E8%B3%87%E8%A8%8A%E4%BD%9C%E6%A5%AD%E5%A7%94%E5%A4%96%E5%AE%89%E5%85%A8%E5%8F%83%E8%80%83%E6%8C%87%E5%BC%95(%E4%BF%AE%E8%A8%82)(V5.2).rar
朱柔若（譯）（1996）。社會科學研究方法與資料分析（Research Methods and Data Analysis in the Social Sciences）（原作者：Thomas Herzog)。新北市：揚智文化事業股份有限公司。（原著出版年：1996）
陳彥銘（2017）。密碼安全性原則,困擾的是駭客還是自己,清流雙月刊, 2017 年 11 月號。
 
英文文獻
Grover, V., Cheon, M.J. and Teng,J.T.C. (1996), The Effect of Service Quality and Partnership on the Outsourcing of Information Systems Function. Journal of Management Information Systems, Vol.12 No.4 1996.
IEEE (2015), Avoiding the Top 10 Software Security Design Flaws. Institute of Electrical and Electronics Engineers. available at
https://cybersecurity.ieee.org/blog/2015/11/13/avoiding-the-top-10-security-flaws/
John P. Mello Jr. (2018), OWASP Top 10 Proactive Controls 2018: How it makes your code more secure. TechBeacon, 20 Sep 2018. available at
https://techbeacon.com/security/owasp-top-10-proactive-controls-2018-how-it-makes-your-code-more-secure
Lacity, M. C & Hirschheim, R. (1993), The information system outsourcing bandwagon. Sloan Management Review (34:4), pp. 73-86.
Microsoft (2004), What is the Security Development Lifecycle ? . Microsoft. avaliable at: https://www.microsoft.com/en-us/securityengineering/sdl/
NIST (2013), Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards and Technology. available at
https://nvd.nist.gov/800-53
NIST (2017), Digital Identity Guidelines. National Institute of Standards and Technology. available at
https://pages.nist.gov/800-63-3/sp800-63b.html
OWASP (2016), Mobile Top 10 2016-Top 10. Open Web Application Security Project, OWASP. available at https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
OWASP (2017), OWASP Top Ten Project. Open Web Application Security Project, OWASP. available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP (2018), OWASP Proactive Controls. Open Web Application Security Project, OWASP. available at https://www.owasp.org/index.php/OWASP_Proactive_Controls
OWASP (2019), About The Open Web Application Security Project. Open Web Application Security Project, OWASP. available at https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project
Symantec (2017), Internet Security Threat Report. Symantec Corporation, April 2017. available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
Symantec (2019), Internet Security Threat Report. Symantec Corporation, February 2019. Available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf