Implement Authentication Controls to Fail Securely
What to Do Make sure authentication controls fail securely. Why Designing authentication to fail securely when abnormal conditions occur reduces the r... more
What to Do Make sure authentication controls fail securely. Why Designing authentication to fail securely when abnormal conditions occur reduces the r... more
Hash And Salt Passwords
Applies to PHP What to Do Hash and salt stored passwords. Why Storing hashes instead of plain-text passwords assures that an attacker cannot easily r... more
Applies to PHP What to Do Hash and salt stored passwords. Why Storing hashes instead of plain-text passwords assures that an attacker cannot easily r... more
Force Password Renewal
What to Do Force users to renew their passwords after a given period of time. Why Forcing users to renew their passwords reduces the risk of valid cre... more
What to Do Force users to renew their passwords after a given period of time. Why Forcing users to renew their passwords reduces the risk of valid cre... more
Include Unique Tokens in HTTP Requests
What to Do Include unique tokens in HTTP requests when performing sensitive operations to prevent Cross-Site Request Forgery (CSRF). Why CSRF may be p... more
What to Do Include unique tokens in HTTP requests when performing sensitive operations to prevent Cross-Site Request Forgery (CSRF). Why CSRF may be p... more
Use Only Strong SSL Algorithms
Applies to Apache What to Do Configure Apache to use only strong SSL algorithms. Why Using strong encryption algorithms with SSL helps reduce the ris... more
Applies to Apache What to Do Configure Apache to use only strong SSL algorithms. Why Using strong encryption algorithms with SSL helps reduce the ris... more
Force Reauthentication for Sensitive Operations
What to Do Force the user to re-authenticate when executing security-critical functionality including, but not limited to, change of password, account... more
What to Do Force the user to re-authenticate when executing security-critical functionality including, but not limited to, change of password, account... more
How to Test for Account Lockout Vulnerabilities
Summary A web application uses an account lockout policy to protect against clients attempting to log into accounts not belonging to them. However, th... more
Summary A web application uses an account lockout policy to protect against clients attempting to log into accounts not belonging to them. However, th... more
Encrypt Stored Sensitive Data
Applies To Android applications that store sensitive data. What to Do Encrypt stored sensitive data. Why Sensitive data at rest should be encrypted t... more
Applies To Android applications that store sensitive data. What to Do Encrypt stored sensitive data. Why Sensitive data at rest should be encrypted t... more
Allocate Enough Buffer Space for Copying Data
What to Do Only copy the amount of data that can fit in the array or string. Make sure that the array or string is large enough to fit all the data, i... more
What to Do Only copy the amount of data that can fit in the array or string. Make sure that the array or string is large enough to fit all the data, i... more
Use Parameterized Methods for Database Access
Applies To Android applications that query a database. What to Do Use parameterized query methods for database access. Why Using parameterized query ... more
Applies To Android applications that query a database. What to Do Use parameterized query methods for database access. Why Using parameterized query ... more
