Security controls in a web application

Posted on 2007-07-22
Medium Priority
Last Modified: 2010-04-06

I have developed a web application in .NET that interacts with Oracle database. Now this app is been audited according to security issues of ISO 17799.
I'm afraid that my web app is lacking of many security controls.

I have implemented some security controls like a login page that asks for userid and password in order to access the web app. Also, every web page calls a stored procedure when is loaded. That SP consults if the userid is allowed to access that web page.

However, there are many other security controls that I didn't know. For example, a guy asked me if the login page controls how many times can somebody try to login. If somebody tries to login more than three times with no success, then the user account has to be blocked for some time. That is in order to avoid hacking, because somebody can use some program to generate random passwords and trying to login over and over until it succeeds.

My question is: Is there any practical guide to follow about what security controls must be implemented in a web application that interacts with database? I think it should exists, like:

- Passwords have to have 6 alphanumeric characters at least.
- If the user logins for the first time, the application has to force him to change his password.
- If the user tries to login more than three times unsuccessfully, then the account has to be blocked
- etc, etc

Thank you very much!
Question by:miyahira

Accepted Solution

Neil_Smithline earned 1400 total points
ID: 19544633
I don't know of any single reference for what you are asking. That being said, the OWASP Top Ten guide (http://www.owasp.org/index.php/Top_10_2007) has many suggestions along with many references to other documents. For example, the section on authentication points to http://www.owasp.org/index.php/Guide_to_Authentication which answers some of the questions you have asked about password management.

I think you will run into some problems with finding a single document because security has no one-size-fits-all solution. That being said, perhaps you can find one that exists that meets your need. The Common Criteria from NIAP (a governmental organization) has many "protection profiles" that describe various requirements. See http://www.niap-ccevs.org/cc-scheme/pp/ for the existing protection profiles. There are many other standards (eg: the credit card companies are very big on PCI right now).

Good luck,

- Neil
LVL 51

Assisted Solution

by:Ted Bouskill
Ted Bouskill earned 600 total points
ID: 19561123
Neil_Smithline is correct, there are many choices based on your needs.  If you have heard of the 'Five 9s' of security (90% secure, 99% secure to 99.999% secure) adding one 9 gets expotentially more expensive.

Considering that many hackers use simple social engineering to get passwords you should consider protecting against that as well.  IE: Your system uses complex passwords, it locks out users after 5 attempts and even monitors automated data entry (I wrote an app that detected the duration of keyboard entry and if it was too quick I knew a human didn't type the characters) it can be circumnavigated by a hacker calling a support line and asking for a password email reset without proper validation by the operator.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question