Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
11/1/2013
Transerv Pvt Ltd.
Secure Coding Guidelines Date:03/05/17
Version-01
Rev No.00
Table of Contents
1 Introduction.........................................................................................................................4
2 Secure Architecture.............................................................................................................4
3 Secure Designing................................................................................................................7
4 Secure Coding.....................................................................................................................9
This document provides specific guidance for application developers to apply during
web application development.
2 Secure Architecture
2.1 Cryptographic Practices:
Cryptographic systems and techniques must be used for the protection of
information that is considered at risk.
A. Selecting Cryptographic Algorithms:
Cryptographic systems provide authentication, non-repudiation, confidentiality
and integrity. Depending on your risks and requirements, you need to decide
which of these four functions should be used to protect your data. You need to
select an algorithm which is computationally difficult to break. The following are
types of cryptographic systems:
Symmetric Cryptography:
In Symmetric Cryptography, both parties share the same key for
encryption and decryption. This key needs to be kept secret. If anyone
gets to know the key, he/she can easily decrypt the encrypted
information. A few well-known examples are: DES, Triple-DES (3DES),
IDEA, BLOWFISH, and TWOFISH. (HTTPS is being used here)
Asymmetric Cryptography:
Asymmetric algorithms use pairs of keys. One is used for encryption and
the other one for decryption. The decryption key is typically kept secret,
therefore called "private key", while the encryption key is spread to the
world for encrypting messages, therefore called "public key". Hence, it is
more secure than symmetric cryptography. A few well-known examples
are RSA, DSA, and ELGAMAL.
Transerv Pvt Ltd.
Secure Coding Guidelines Date:03/05/17
Version-01
Rev No.00
Hashes:
Hash functions take some data of an arbitrary length and generate a
fixed-length hash value based on this input. A few well-known examples
are MD5, SHA-1, and AES.
B. Recommendation:
Depending on your requirements and risks, you should choose symmetric or
asymmetric cryptography. However, there are some algorithms which are found
to be vulnerable. Hence, you should avoid them. Vulnerable Algorithms: MD5,
SHA-0, SHA-1 and DES
As per an application threat modelling approach, below are some best practices
you should follow while implementing cryptographic systems in your application:
Symmetric Cryptography:
Minimum key size of 128 bits should be sufficient for most general
purpose applications.
Minimum key size of 168 or 256 bits should be sufficient for critical
applications such as financial or containing partner \ client information.
Asymmetric Cryptography:
Minimum Key sizes of 1280 bits should be sufficient for most general
purpose applications.
Hashes:
Minimum hash size of 128 bits should be sufficient for most general
purpose applications.
Minimum hash size of 168 or 256 bits should be sufficient for critical
applications such as financial or containing partner \ client information.
A. Session ID Creation
The session tokens should be generated via a cryptographically secure
random number generator and handled by the web server.
B. Session Expiration:
Session should get terminated and all session tokens should get
destroyed after logout action.
C. Session ID Length
Session tokens should be greater or equal to128-bit.
D. Inactivity Time Out
Authenticated sessions should time-out after pre-determined period of
inactivity – 15-20 minutes is recommended.
Transerv Pvt Ltd.
Secure Coding Guidelines Date:03/05/17
Version-01
Rev No.00
Recommendations:
Use only TLSv1.2. Do not use SSLv2.0/SSLv3.0 since they are affected
with multiple vulnerabilities.
Avoid using all cipher suites that runs in CBC mode.
Weak ciphers (less than 128 bits) should not be used.
Secure Renegotiation should be enabled.
Avoid using MD5 and RC4 due to collision and crypto-analytical attacks
respectively.
Server should support Forward Secrecy.
Transerv Pvt Ltd.
Secure Coding Guidelines Date:03/05/17
Version-01
Rev No.00
3 Secure Designing
3.1 Authentication and Password Management
A. Password Policy
Combining the below defined length with complexity makes a password difficult
to guess and/or brute force.
Password Length: Passwords should be at least eight characters long.
Password Complexity: Password characters should be a combination of
upper case and lower case letters, special characters and numeric digits.
B. Password Guessing
Applications should defend against password guessing attempts including brute
force attacks by implementing the following methods:
E. General Recommendations:
All passwords (e.g., User, Admin, SuperAdmin etc.) should be changed
on at least a quarterly basis
User/Application should not use vendor-supplied/defaults passwords.
Users should be provided with a mechanism for selecting their own
passwords.
Generic responses should be returned for all authentication failures such
that they do not indicate which part of the authentication data was
incorrect.
If temporary passwords (or links to temporary passwords) are used, the
following should get enforced:
o For Reset password we send mail with link to change password,
which gets expired on below scenario.
Transerv Pvt Ltd.
Secure Coding Guidelines Date:03/05/17
Version-01
Rev No.00
4 Secure Coding
4.1 Database Security
A. Defensive Coding
The use of proper coding practices is a straightforward solution for web
application vulnerabilities especially for SQL injection vulnerability since it is due
to insecure coding of web developers. Below is the defensive coding method
that you should follow:
C. File Upload
Confirm authentication before allowing a file to be uploaded
Limit the type of files that can be uploaded to only those types that are
needed for your business purposes.
Validating extension of a file is not sufficient. Applications should
validate uploaded files are the expected type by checking file Content-
Type and/or headers.
Never send the absolute file path to the client.
Scan user uploaded d files for viruses and malware
Transerv Pvt Ltd.
Secure Coding Guidelines Date:03/05/17
Version-01
Rev No.00
https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet
http://www.irdindia.in/journal_ijaeee/pdf/vol2_iss3/6.pdf
http://www.testandverification.com/wp-content/uploads/tvs-white-paper-secure-web-development-guide-
SAMPLE.pdf