Enforce a strong password policy
If your app enforces the following password policies, there are chances of a smart user looking into his boss' private data:
- Strong passwords: at least 6 characters long and alphanumeric.
- Restrict failed password attempts to 3 to 5.
- Password expiry: make sure users change their passwords periodically.
- Don’t give the hacker a clue: for failed authentication give an error message like ‘Invalid credentials’. Don’t hint whether the username or the password was wrong.
Guard against malicious input
- URL tampering: Passing things like User ID through URLs may make your life easier. However keep in mind the consequences if a user puts in the admin ID instead of his own and proceeds using the system.
- Error prone input: Always validate the user input to verify that it’s within the boundary conditions and is void of any special characters which you can’t process.
- Malicious scripts: If your system involves HTML upload from user make sure that it does not contain any scripts. The best way is to strip any SCRIPT blocks from such input.
- Repeated requests: Put a limit on your server on how fast and how many requests it can accept from one client. This guards against DOS (Denial of service) attacks wherein a particular client repetitively requests your server until it is resource starved and eventually dead.
Map user session to IIS user session
- After your application session expires after a user logs out, make sure to clean the IIS session too and vice versa.
Conclusion
From the information key factors have been uncovered in which should be involved within the apps security system including:
- The app should enforce a password policy
- Limit how many requests can be made from one server
- After 30 seconds of using the code, the timer should go off, forcing you to log back on to make further payments.
No comments:
Post a Comment