Ensuring application is Secure by design
You can follow the guidelines listed below for ensuring that your application is Secure By Design.
· When you application stores or transmits data that attackers want, use Cryptography. You can implement encryption yourself or require your end users to use platform encryption features such as Encrypting File System (EFS), Secure Sockets Layer (SSL) or IP Security (IPSec).
o Sample scenarios are when storing or transmitting personal information about people, financial information or authentication credentials.
· Use Authentication and authorization mechanisms built into the .NET framework
· Use Standard network protocols for network communications when possible. This is to improve compatibility with firewalls, since typically firewalls are configured to analyze network traffic and drop all packets that are not specifically allowed.
· Implement the principle of least privilege. Design and implement your applications so that they use the least privileges necessary to carry out any action. A simple example is when connecting to a database for data access. Instead of connecting with credential with very high permissions, determine what permissions your application requires, create a role that has permissions and use a credential appropriate to that specific role.
· Follow known techniques for reducing the attack surface. In other words, minimize the entry points to your application.
· When you application stores or transmits data that attackers want, use Cryptography. You can implement encryption yourself or require your end users to use platform encryption features such as Encrypting File System (EFS), Secure Sockets Layer (SSL) or IP Security (IPSec).
o Sample scenarios are when storing or transmitting personal information about people, financial information or authentication credentials.
· Use Authentication and authorization mechanisms built into the .NET framework
· Use Standard network protocols for network communications when possible. This is to improve compatibility with firewalls, since typically firewalls are configured to analyze network traffic and drop all packets that are not specifically allowed.
· Implement the principle of least privilege. Design and implement your applications so that they use the least privileges necessary to carry out any action. A simple example is when connecting to a database for data access. Instead of connecting with credential with very high permissions, determine what permissions your application requires, create a role that has permissions and use a credential appropriate to that specific role.
· Follow known techniques for reducing the attack surface. In other words, minimize the entry points to your application.
No comments: