Inception - Defining Security Requirements
1) Application Environment:
* Identity, understand and accomodate your organization's security policies.
* Reconize infrastructure restrictions, such as services, protocols and firewalls.
* Identify hosting environment restrictions (e.g., virtual private network [VPN], sandboxing)
* Define the application deployment configuration.
* Define network domain structures, clustering and remote application servers.
* Identify database servers
* Identify which secure communication features the environment supports
* Address Web farm considerations (including session state management, machine-specific encryption keys, SSL, certificate deployment issues and roaming profiles). If the application uses SSL, identify the certificate authority (CA) and types to be used.
* Address required scalability and peformance criteria.
* Investigate the code trust level.
2) Input/Data validation and authentication:
* Assume that all client input is potentially dangerous.
* Identify all trust boundaries for identifiy accounts and/or resources that cross those boundaries.
* Define account management policies and a least-privileged accounts policy.
* Specify requirements for strong passwords and enforcement measures.
* Encrypt user credentials using SSL, VPN, IPsec or the like, and ensure that authentication information (e.g., tokens, cookies, tickets) will not be transmitted over non-encrypted connections.
*Ensure that minimal error information will be returned to the client in the event of authentication failure.
3) Session Management:
* Limit the session lifetime.
* Protect the session state from unauthorized access.
* Ensure that session identifiers are not passed in query strings.