Countermeasures

From Guidance Share

Jump to: navigation, search

Contents

Input/Data Validation

  • Assume all input is malicious.
  • Centralize your approach.
  • Do not rely on client-side validation.
  • Be careful with canonicalization issues.
  • Constrain, reject, and sanitize your input.
  • Constrain input.
  • Validate data for type, length, format, and range.
  • Reject known bad input.
  • Sanitize input.
  • Encrypt sensitive cookie state.
  • Make sure that users do not bypass your checks.
  • Validate all values sent from the client.
  • Do not trust HTTP header information.
  • Encrypt sensitive cookie state.
  • Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers).
  • Validate all values sent from the client.
  • Do not trust input
  • Consider centralized input validation.
  • Do not rely on client-side validation.
  • Be careful with canonicalization issues.
  • Constrain, reject, and sanitize input.
  • Validate for type, length, format, and range.


Authentication

  • Separate public and restricted areas.
  • Use account lockout policies for end-user accounts.
  • Support password expiration periods.
  • Be able to disable accounts.
  • Do not store passwords in user stores.
  • Require strong passwords.
  • Do not send passwords over the wire in plaintext.
  • Protect authentication cookies.
  • Partition site by anonymous, identified, and authenticated area.
  • Use strong passwords.
  • Support password expiration periods and account disablement.
  • Do not store credentials (use one-way hashes with salt).
  • Encrypt communication channels to protect authentication tokens.
  • Pass Forms authentication cookies only over HTTPS connections.


Authorization

  • Use multiple gatekeepers.
  • Restrict user access to system-level resources.
  • Consider authorization granularity.
  • Use least privileged accounts.
  • Consider authorization granularity.
  • Enforce separation of privileges.
  • Restrict user access to system-level resources.


Auditing and Logging

  • Audit and log access across application tiers.
  • Consider identity flow.
  • Log key events.
  • Secure log files.
  • Back up and analyze log files regularly.
  • Identify malicious behavior.
  • Know what good traffic looks like.
  • Audit and log activity through all of the application tiers.
  • Secure access to log files.
  • Back up and regularly analyze log files.


Configuration Management

  • Secure your administration interfaces.
  • Secure your configuration store.
  • Maintain separate administration privileges.
  • Use least privileged process and service accounts.
  • Use least privileged process and service accounts.
  • Do not store credentials in plaintext.
  • Use strong authentication and authorization on administration interfaces.
  • Do not use the LSA.
  • Secure the communication channel for remote administration.
  • Avoid storing sensitive data in the Web space.


Sensitive Data

  • Do not store secrets if you can avoid it.
  • Do not store secrets in code.
  • Do not store database connections, passwords, or keys in plaintext.
  • Avoid storing secrets in the Local Security Authority (LSA).
  • Use Data Protection API (DPAPI) for encrypting secrets.
  • Retrieve sensitive data on demand.
  • Encrypt the data or secure the communication channel.
  • Do not store sensitive data in persistent cookies.
  • Do not pass sensitive data using the HTTP-GET protocol.
  • Avoid storing secrets.
  • Encrypt sensitive data over the wire.
  • Secure the communication channel.
  • Provide strong access controls on sensitive data stores.
  • Do not store sensitive data in persistent cookies.
  • Do not pass sensitive data using the HTTP-GET protocol.

Session Management

  • Use SSL to protect session authentication cookies.
  • Encrypt the contents of the authentication cookies.
  • Limit session lifetime.
  • Protect session state from unauthorized access.
  • Limit the session lifetime.
  • Secure the channel.
  • Encrypt the contents of authentication cookies.
  • Protect session state from unauthorized access.


Cryptography

  • Do not develop your own cryptography.
  • Keep unencrypted data close to the algorithm.
  • Use the correct algorithm and correct key size.
  • Secure your encryption keys.
  • Do not develop your own.
  • Use tried and tested platform features.
  • Keep unencrypted data close to the algorithm.
  • Use the right algorithm and key size.
  • Avoid key management (use DPAPI).
  • Cycle your keys periodically.
  • Store keys in a restricted location.
  • Exception Management
  • Do not leak information to the client.
  • Log detailed error messages.
  • Catch exceptions.
  • Use structured exception handling.
  • Do not reveal sensitive application implementation details.
  • Do not log private data such as passwords.
  • Consider a centralized exception management framework.
Personal tools