Security controls in a web application

Posted on 2007-07-22
Last Modified: 2010-04-06

I have developed a web application in .NET that interacts with Oracle database. Now this app is been audited according to security issues of ISO 17799.
I'm afraid that my web app is lacking of many security controls.

I have implemented some security controls like a login page that asks for userid and password in order to access the web app. Also, every web page calls a stored procedure when is loaded. That SP consults if the userid is allowed to access that web page.

However, there are many other security controls that I didn't know. For example, a guy asked me if the login page controls how many times can somebody try to login. If somebody tries to login more than three times with no success, then the user account has to be blocked for some time. That is in order to avoid hacking, because somebody can use some program to generate random passwords and trying to login over and over until it succeeds.

My question is: Is there any practical guide to follow about what security controls must be implemented in a web application that interacts with database? I think it should exists, like:

- Passwords have to have 6 alphanumeric characters at least.
- If the user logins for the first time, the application has to force him to change his password.
- If the user tries to login more than three times unsuccessfully, then the account has to be blocked
- etc, etc

Thank you very much!
Question by:miyahira
    LVL 1

    Accepted Solution

    I don't know of any single reference for what you are asking. That being said, the OWASP Top Ten guide ( has many suggestions along with many references to other documents. For example, the section on authentication points to which answers some of the questions you have asked about password management.

    I think you will run into some problems with finding a single document because security has no one-size-fits-all solution. That being said, perhaps you can find one that exists that meets your need. The Common Criteria from NIAP (a governmental organization) has many "protection profiles" that describe various requirements. See for the existing protection profiles. There are many other standards (eg: the credit card companies are very big on PCI right now).

    Good luck,

    - Neil
    LVL 51

    Assisted Solution

    Neil_Smithline is correct, there are many choices based on your needs.  If you have heard of the 'Five 9s' of security (90% secure, 99% secure to 99.999% secure) adding one 9 gets expotentially more expensive.

    Considering that many hackers use simple social engineering to get passwords you should consider protecting against that as well.  IE: Your system uses complex passwords, it locks out users after 5 attempts and even monitors automated data entry (I wrote an app that detected the duration of keyboard entry and if it was too quick I knew a human didn't type the characters) it can be circumnavigated by a hacker calling a support line and asking for a password email reset without proper validation by the operator.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
    Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now