Suggestions for Applications Security while Developing the Applications and Maintenance

In this blog I would like to suggest to follow below rules for application security while developing the applications and maintenance.

This concept is related to "Penetration testing"

From an application initial stage to maintenance stage we should maintain the application security.

At the stage of development and maintenance of the application we needs to follow the below rules

1. Don't use normal statement class for retrieving the data from database in DAO classes

2. Use “Prepared Statement” for SQL query usage

3. Don't store sensitive data in application directories without encryption of the file

4. Showing the sensitive data in URL’s, it's not best practice

5. SSL certification (ECDSA, RSA) is mandatory for application or server

6. Don't expose the database keys directly in application links

7. Write data patterns in input fields should be accurate

8. Use separate token system for sensitive functionality

9. Check the status of the all the ports which are used for application in the server

10. Don't push the code with default credentials in the application

11. Don't allow to enter special chars from input fields

12. Don't allow an authentication after 3 incorrect attempts

13. Need to regenerate the new session token after successful login

14. Use IDS/IPS for servers to detecting the malicious requests

15. Use captcha for sensitive functionality

16. Session tokens and functionality respective tokens should not be predictable

17. Don't store log files in application directories files

18. Update the technologies with latest releases, which are using for developing the application.

Thanks,

Vijay Kumar Sokkala

Application Security Analyst

http://www.mouritech.com/