This project is read-only.

Countermeasures for Web Applications

- J.D. Meier, Paul Enfield.

Category Countermeasures
Auditing and Logging * Identify malicious behavior
* Know your baseline (know what good traffic looks like)
* Use application instrumentation to expose behavior that can be monitored
Authentication * Encrypt communication channels to secure authentication tokens
* Use HTTPS only with forms authentication cookies
* Use authentication mechanisms that do not require clear text credentials to be passed over the network
* Do not store credentials
* Use strong password policies
* Separate anonymous from authenticated pages
Authorization * Use multiple gatekeepers
* Consider granularity of access
* Enforce separation of privileges
* Use least privilege accounts
Configuration Management * Do not store credentials in clear text
* Avoid storing sensitive information in the Web space
* Use only local administration
* Use strong authentication and authorization on administrative interfaces
Cryptography * Do not develop and use proprietary algorithms (XOR is not encryption. Use established cryptography such as RSA)
* Avoid key management.
* Use the RNGCryptoServiceProvider method to generate random numbers
* Periodically change your keys
Exception Management * Do not log private data such as passwords
* Do not reveal sensitive system or application information
* Use structured exception handling (by using try/catch blocks)
* Catch and wrap exceptions only if the operation adds value/information
Input and Data Validation * Do not trust input
* Validate input: length, range, format, and type
* Constrain, reject, and sanitize input
* Encode output
* Uniquely identify transactions
Sensitive Data * Do not store secrets in software
* Encrypt sensitive data over the network
* Secure the channel
Session Management * Secure the channel to the session store
* Authenticate and authorize access to the session store
* Partition site by anonymous, identified, and authenticated users
* Reduce session timeouts
* Avoid storing sensitive data in session stores

Last edited May 20, 2010 at 8:28 PM by paulenfield, version 2


No comments yet.