Improving Web Application Security: Threats and - CGISecurity

Chapter 5: Architecture and Design Review for Security 111Do You Enforce Strong Account Management Practices?The use of strong passwords, restricted login attempts, and other best practiceaccount management policies can be enforced by Windows security policy if yourapplication uses Windows authentication. Otherwise, the application layer isresponsible for this. Review the following aspects of the account management of yourapplication:● Does your application enforce strong passwords?For example, do your ASP.NET Web pages use regular expressions to verifypassword complexity rules?● Do you restrict the number of failed login attempts?Doing so can help counter the threat of dictionary attacks.●●●●Do you reveal too much information in the event of failure?Make sure you do not display messages such as “Incorrect password” because thistells malicious users that the user name is correct. This allows them to focus theirefforts on cracking passwords.Do you enforce a periodic change of passwords?This is recommended because otherwise there is a high probability that a user willnot change his or her password, which makes it more vulnerable.Can you quickly disable accounts in the event of compromise?If an account is compromised, can you easily disable the account to prevent theattacker from continuing to use the account?Does your application record login attempts?Recording failed login attempts is an effective way to detect an attacker who isattempting to break in.AuthorizationExamine how your application authorizes its users. Also examine how yourapplication is authorized inside the database and how access to system-levelresources is controlled. Authorization vulnerabilities can result in informationdisclosure, data tampering, and elevation of privileges. A defense in depth strategy isthe key security principle that you can apply to the authorization strategy of yourapplication. Table 5.3 highlights the most common authorization vulnerabilities.