Monday, November 20, 2006

UI Security Check #1

I was trying to collate a few checks for Web UI Security. Here are somethings for check ONE....
I invite people to put in their suggestions and comments for the same.

#1. Does the UI disclose information that might compromise the security of the system?

  • Don’t provide information in error messages that might compromise the security of the system.
  • Don’t reveal data store locations and URL’s when they are not necessary
  • Mask sensitive information such as SQL Server name, User ID, Password
  • Don’t return errors with cross-site scripts
  • Don’t allow links to open executables
  • Don’t provide error information with clickable links. Convert links to plain text to encourage these to be scrutinized prior to being launched
  • Ensure that logs are correctly stripped of sensitive information

Relevance: Developer

No comments:

Post a Comment