Suggestions for Applications Security while Developing the Applications and Maintenance
In this blog I would like to suggest to follow below rules for application security while developing the applications and maintenance.
This concept is related to "Penetration testing"
From an application initial stage to maintenance stage we should maintain the application security.
At the stage of development and maintenance of the application we needs to follow the below rules
1. Don't use normal statement class for retrieving the data from database in DAO classes
2. Use “Prepared Statement” for SQL query usage
3. Don't store sensitive data in application directories without encryption of the file
4. Showing the sensitive data in URL’s, it's not best practice
5. SSL certification (ECDSA, RSA) is mandatory for application or server
6. Don't expose the database keys directly in application links
7. Write data patterns in input fields should be accurate
8. Use separate token system for sensitive functionality
9. Check the status of the all the ports which are used for application in the server
10. Don't push the code with default credentials in the application
11. Don't allow to enter special chars from input fields
12. Don't allow an authentication after 3 incorrect attempts
13. Need to regenerate the new session token after successful login
14. Use IDS/IPS for servers to detecting the malicious requests
15. Use captcha for sensitive functionality
16. Session tokens and functionality respective tokens should not be predictable
17. Don't store log files in application directories files
18. Update the technologies with latest releases, which are using for developing the application.
Vijay Kumar Sokkala
Application Security Analysthttp://www.mouritech.com/