Guest Big Charles Posted July 23, 2007 Posted July 23, 2007 Hello, I have developed a web application in .NET that interacts with Oracle database. Now this app is been audited according to security issues of ISO 17799. I'm afraid that my web app is lacking of many security controls. I have implemented some security controls like a login page that asks for userid and password in order to access the web app. Also, every web page calls a stored procedure when is loaded. That SP consults if the userid is allowed to access that web page. However, there are many other security controls that I didn't know. For example, a guy asked me if the login page controls how many times can somebody try to login. If somebody tries to login more than three times with no success, then the user account has to be blocked for some time. That is in order to avoid hacking, because somebody can use some program to generate random passwords and trying to login over and over until it succeeds. My question is: Is there any practical guide to follow about what security controls must be implemented in a web application that interacts with database? I think it should exists, like: - Passwords have to have 6 alphanumeric characters at least. - If the user logins for the first time, the application has to force him to change his password. - If the user tries to login more than three times unsuccessfully, then the account has to be blocked - etc, etc Thank you very much! Quote
Guest James Matthews Posted July 23, 2007 Posted July 23, 2007 I do not recall ever seeing a checklist of security procedures but I can tell you that one way that works well is to think like an attacker. E.G I need to hack into this server so I need to know... 1.What software the server is running 2.How users authenticate 3.What are default usernames and passwords Now from each of these he can go and recon... 1.What software the server is running -> Apache..ISS.. Are there any holes.... 2.How users authenticate -> Is there a timeout? -> Can I try to login using the same ip without getting banned etc... 3.What are default usernames and passwords -> Is it the users first name and the fist letter of his last AKA jamesm or the opposite? This is the way you must think P.S i have only shown very very few. James -- http://www.goldwatches.com/watches.asp?Brand=14 "Big Charles" <cherediatech@yahoo.com> wrote in message news:1185154492.526010.247340@57g2000hsv.googlegroups.com... > Hello, > > I have developed a web application in .NET that interacts with Oracle > database. Now this app is been audited according to security issues of > ISO 17799. > I'm afraid that my web app is lacking of many security controls. > > I have implemented some security controls like a login page that asks > for userid and password in order to access the web app. Also, every > web page calls a stored procedure when is loaded. That SP consults if > the userid is allowed to access that web page. > > However, there are many other security controls that I didn't know. > For example, a guy asked me if the login page controls how many times > can somebody try to login. If somebody tries to login more than three > times with no success, then the user account has to be blocked for > some time. That is in order to avoid hacking, because somebody can use > some program to generate random passwords and trying to login over and > over until it succeeds. > > My question is: Is there any practical guide to follow about what > security controls must be implemented in a web application that > interacts with database? I think it should exists, like: > > - Passwords have to have 6 alphanumeric characters at least. > - If the user logins for the first time, the application has to force > him to change his password. > - If the user tries to login more than three times unsuccessfully, > then the account has to be blocked > - etc, etc > > Thank you very much! > Quote
Guest Roger Abell [MVP] Posted July 24, 2007 Posted July 24, 2007 You do not state what accounts are being used. In general, one may be better off passing account management tasks to the operating system or database server (SQL 2k5 at least Oracle ??) rather than attempting to reinvent the whole as a one man show. "Big Charles" <cherediatech@yahoo.com> wrote in message news:1185154492.526010.247340@57g2000hsv.googlegroups.com... > Hello, > > I have developed a web application in .NET that interacts with Oracle > database. Now this app is been audited according to security issues of > ISO 17799. > I'm afraid that my web app is lacking of many security controls. > > I have implemented some security controls like a login page that asks > for userid and password in order to access the web app. Also, every > web page calls a stored procedure when is loaded. That SP consults if > the userid is allowed to access that web page. > > However, there are many other security controls that I didn't know. > For example, a guy asked me if the login page controls how many times > can somebody try to login. If somebody tries to login more than three > times with no success, then the user account has to be blocked for > some time. That is in order to avoid hacking, because somebody can use > some program to generate random passwords and trying to login over and > over until it succeeds. > > My question is: Is there any practical guide to follow about what > security controls must be implemented in a web application that > interacts with database? I think it should exists, like: > > - Passwords have to have 6 alphanumeric characters at least. > - If the user logins for the first time, the application has to force > him to change his password. > - If the user tries to login more than three times unsuccessfully, > then the account has to be blocked > - etc, etc > > Thank you very much! > Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.