Security Basic Best Practices

1. Always validate user input. The user could stick html or javascript into text box. Malicious users can embed links in your page and change href of your links. You can run regex against input to remove suspicious, non alpha numeric characters that may be part of a script.

2.When taking info from a request., eg request.getParameter, you must validate it. Similar to point 1 above.

3. Add a timeout to a users sessions using a MAC code.

4. HTTP ‘posts’ are for updating,  HTTP ‘gets’ are for reading.

5. Set the default char set at top of page to reduce the types of escapes and canonicalization tricks available to bowld pups. eg content type =text/html charset=iso-8859-1

6. The less information sent back to the client in a failed request/operation,  the better.just say operation failed, dont say why. If you give a clue as to why, a hacker might take advantage of this. A simple example is how web systems used to say ‘Invalid password’ or ‘no user with that username exists’. This lets a hacker know he has at least got an existing username and can then run password cracking software against that username.

7. A note on passwords:

  • Tunnel the request thru ssl/tls
  • Only give a simple failure message for failed login attempts . don’t specify the reason the login failed.
  • Log failed attempts but not the password which was attempted
  • Use a strong salt based cryptographic one way function based on hash for password storage.suggest PBKDF2
  • Provide secure mechanism to change password
  • Password reset should never send the old password out. Send a temporary password.
  • Passwords should be strong and clear instructions should be on screen to facilitate this

8. Session id should use a good random number generator. Use the system CRNG or java.security.SecureRandom
Byte test [20];

SecureRandom crng = new SecureRandom ();
crng.nextBytes (test)

george-graham-master-of-security

George Graham, a master of security

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: