• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 239
  • Last Modified:

Security controls in a web application


I have developed a web application in .NET that interacts with Oracle database. Now this app is been audited according to security issues of ISO 17799.
I'm afraid that my web app is lacking of many security controls.

I have implemented some security controls like a login page that asks for userid and password in order to access the web app. Also, every web page calls a stored procedure when is loaded. That SP consults if the userid is allowed to access that web page.

However, there are many other security controls that I didn't know. For example, a guy asked me if the login page controls how many times can somebody try to login. If somebody tries to login more than three times with no success, then the user account has to be blocked for some time. That is in order to avoid hacking, because somebody can use some program to generate random passwords and trying to login over and over until it succeeds.

My question is: Is there any practical guide to follow about what security controls must be implemented in a web application that interacts with database? I think it should exists, like:

- Passwords have to have 6 alphanumeric characters at least.
- If the user logins for the first time, the application has to force him to change his password.
- If the user tries to login more than three times unsuccessfully, then the account has to be blocked
- etc, etc

Thank you very much!
2 Solutions
I don't know of any single reference for what you are asking. That being said, the OWASP Top Ten guide (http://www.owasp.org/index.php/Top_10_2007) has many suggestions along with many references to other documents. For example, the section on authentication points to http://www.owasp.org/index.php/Guide_to_Authentication which answers some of the questions you have asked about password management.

I think you will run into some problems with finding a single document because security has no one-size-fits-all solution. That being said, perhaps you can find one that exists that meets your need. The Common Criteria from NIAP (a governmental organization) has many "protection profiles" that describe various requirements. See http://www.niap-ccevs.org/cc-scheme/pp/ for the existing protection profiles. There are many other standards (eg: the credit card companies are very big on PCI right now).

Good luck,

- Neil
Ted BouskillSenior Software DeveloperCommented:
Neil_Smithline is correct, there are many choices based on your needs.  If you have heard of the 'Five 9s' of security (90% secure, 99% secure to 99.999% secure) adding one 9 gets expotentially more expensive.

Considering that many hackers use simple social engineering to get passwords you should consider protecting against that as well.  IE: Your system uses complex passwords, it locks out users after 5 attempts and even monitors automated data entry (I wrote an app that detected the duration of keyboard entry and if it was too quick I knew a human didn't type the characters) it can be circumnavigated by a hacker calling a support line and asking for a password email reset without proper validation by the operator.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now