Application information must be available, have integrity, and confidential.
Where do you implement security?
Most people consider security only on the external interfaces. This is a fallacy.
You should be implementing security/sanity checks throughout your entire application to avoid issues throughout your app.
Who is a threat?
- Script Kiddies
- Hackers
- Crackers
- Unconscious users (no, not knocked out, but rather they don't know what they're doing)
- Your own framework (modules talking to modules).
- Physical environment.
- Take the entire SDLC, and create specialized security methods for each portion.
- Securing your application is NEVER done. Each release is an iteration of security, and must be revisited on each release.
Functional and non-functional requirements both input to the application, but security needs to be considered a functional requirement. Generally these fall under the System requirements.
Test plans:
- Training
- Awareness
- Outside-the-box thinking
- Codified security test plans
- Use tools
- Review application w/programmers
- Reporting and analysis
- End goal: clean bill of health
- Remote code execution
- XSS
- SQL Injection
- PHP Configuration
- File system attacks
Best Practices:
- Whilelisting vs. blacklisting
- filter input, escape output
- Keep errors to yourself (ie, invalid password, 3rd letter correct.. right...)
No comments:
Post a Comment