2 cissp ® Official Study Guide Eighth Edition


Authentication and Session Management



Download 19,3 Mb.
Pdf ko'rish
bet813/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   809   810   811   812   813   814   815   816   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Authentication and Session Management
Many applications, particularly web applica-
tions, require that users authenticate prior to accessing sensitive information or modifying 
data in the application. One of the core security tasks facing developers is ensuring that 
those users are properly authenticated, that they perform only authorized actions, and that 
their session is securely tracked from start to fi nish. 
The level of authentication required by an application should be tied directly to the level of 
sensitivity of that application. For example, if an application provides a user with access to 
sensitive information or allows the user to perform business-critical applications, it should 
require the use of strong multifactor authentication. 
In most cases, developers should seek to integrate their applications with the organization’s 
existing authentication systems. It is generally more secure to make use of an existing, 
hardened authentication system than to try to develop an authentication system for a spe-
cifi c application. If this is not possible, consider using externally developed and validated 
authentication libraries. 
Similarly, developers should use established methods for session management. This includes 
ensuring that any cookies used for web session management be transmitted only over 
secure, encrypted channels and that the identifi ers used in those cookies should be long 
and randomly generated. Session tokens should expire after a specifi ed period of time and 
require that the user reauthenticate. 
Error Handling
Developers love detailed error messages. The in-depth information 
returned in those errors is crucial to debugging code and makes it easier for technical staff 
to diagnose problems experienced by users. 
However, those error messages may also expose sensitive internal information to attackers
including the structure of database tables, the addresses of internal servers, and other data 
that may be useful in reconnaissance efforts that precede an attack. Therefore, developers 
should disable detailed error messages (also known as
debugging mode
) on any servers and 
applications that are publicly accessible. 

Introducing Systems Development Controls 

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   809   810   811   812   813   814   815   816   ...   881



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish