Security Guidelines For Website Development
We take security seriously. Atoconn incorporates a number of features and techniques to either enforce good security practices to protect client's data from all kinds of threats.
The top vulnerabilities for web applications:
1. Injection
An injection is the inappropriate insertion of partial or complete data via the input data from the client to the application.
Attack vectors include SQL, XML, ORM, code & buffer overflows.
Recommendations
- Presentation: set correct content type, character set & locale
- Submission: validate fields and provide feedback
- Controller: sanitize input; positive input validation using the correct character set
- Model: parameterized queries
2. Weak authentication and session management
Inadequate authentication or improper session management can lead to a user getting more privileges than they are entitled to.
Recommendations
- Presentation: validate authentication & role; send CSRF token with forms
- Design: only use built-in session management
- Controller: validate user, role, CSRF token
- Model: validate the role
- Tip: consider the use of a request governor
3. Cross-Site Scripting (XSS)
Insufficient input validation where one user can add content to a web site that can be malicious when viewed by other users to the web site.
Recommendations
- Presentation: output encode all user data as per the output context; set input constraints
- Controller: positive input validation
- Tips: only process trustworthy data; do not store data HTML encoded in DB
4. Insecure Direct Object Reference
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.
Recommendations
- Presentation: don’t expose internal data; use random reference maps
- Controller: obtain data from trusted sources or random reference maps
- Model: validate user roles before updating data
5. Security Misconfiguration
Improper configuration of an application architecture can lead to mistakes that might compromise the security of the whole architecture.
Recommendations
- Presentation: harden web and application servers; use HTTP strict transport security
- Controller: harden web and application servers; protect your XML stack
- Model: harden database servers
6. Sensitive Data Exposure
Sensitive data must be protected when it is transmitted through the network. Such data can include user credentials and credit cards. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission.
Recommendations
- Presentation: use TLS1.2; use strong ciphers and hashes; do not send keys or hashes to browser
- Controller: use strong ciphers and hashes
- Model: mandate strongly encrypted communications with servers
7. Missing Function Level Access Control
Sensitive data must be protected when it is transmitted through the network. Such data can include user credentials and credit cards. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission.
Recommendations
- Presentation: ensure that non-web data is outside the web root; validate users and roles; send CSRF tokens
- Controller: validate users and roles; validate CSRF tokens
- Model: validate roles
8. Cross-Site Request Forgery (CSRF)
CSRF is an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
Recommendations
- Presentation: validate users and roles; send CSRF tokens
- Controller: validate users and roles; validate CSRF tokens
- Model: validate roles
9. Using Components with Known Vulnerabilities
Many applications have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or to exploit data.
Recommendations
- Don’t use any of these
10. Unvalidated Redirects and Forwards
Faulty business logic or injected actionable code could redirect the user inappropriately.
Recommendations
- Presentation: don’t use URL redirection; use random indirect references
- Controller: don’t use URL redirection; use random indirect references
- Model: validate roles
We @Atoconn Take care of all aspects of security in order to protect our client data from all malicious users and all kinds of Attack.
For Consultation (Web / Software / Mobile / Automation / IoT):
Reach us:-
www.atoconn.com | business@atoconn.com
Tel: +91 6383185847 | +91 9834074763
