Application security 10 Commandments

29 בנובמבר 2006

one comment

Application security 10 Commandments


 


 


Many people ask "what should I do to implement Application Security?"


 


Well, it is not so simple but if you want to make a long story short you should do the following:


 



  1. Create a threat modeling document.  
  2. Make sure you take care of the following issues:  

·         Input Validation


o   Map all your inputs and make sure all inputs coming from an untrusted source are properly validated.


·         Authentication


o   Users are properly authenticated, and the authentication ticket is properly handled.


·         Authorization


o   The right to perform an action is given to the correct user. Authorization is handled with a secure technology.


·         Configuration Management


o   Configuration information is well secured as it is holding super sensitive data.


·         Sensitive Data


o   Define which data  is sensitive in the application context.


·         Session Management


o   Make sure the session data is well protected.


·         Cryptography


o   Use the correct cryptographic algorithm. Use cryptography only when needed.


·         Parameter Manipulation


o   Parameters which the application uses and transfers between modules and UI are properly secured.


·         Exception Management


o   Exception information are properly sanitized and logged.


·         Auditing and Logging


o   Information about the application runtime state is logged to enable monitoring. Proper tools are supplied to enable querying this info.



  1. Perform security testing.

  2. Make sure your product is properly deployed.

  3. Communicate security issues with your customers.

manu

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

one comment

  1. alikl29 בנובמבר 2006 ב 21:48

    Great post, man[u]!!!
    do not forget to point these next time 🙂

    http://msdn.com/SecurityEngineering
    http://msdn.com/ThreatModeling

    Reply