4. Injection Prevention Rules
• Rule #1 (Perform proper input validation):
Perform proper input validation. Positive or “whitelist” input validation with appropriate canonicalization is also recommended, but is not a complete defense as many applications require
special characters in their input.
• Rule #2 (Use a safe API):
The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful of APIs, such as stored procedures, that are
parameterized, but can still introduce injection under the hood.
• Rule #3 (Contextually escape user data):
If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter.
• Further reading: https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet
5. Authentication Rules
• Implement Proper Password Strength Controls
• Implement Secure Password Recovery Mechanism
• Store Passwords in a Secure Fashion
• Transmit Passwords Only Over TLS or Other Strong Transport
• Require Re-authentication for Sensitive Features
• An application should respond with a generic error message regardless of whether the user ID or password was incorrect.
• Prevent Brute-Force Attacks by disabling user account after multiple failed logins.
• Enable logging and monitoring of authentication functions to detect attacks
• Further reading: https://www.owasp.org/index.php/Authentication_Cheat_Sheet
6. Sensitive Data Rules
• Classify data processed, stored or transmitted by application.
• Identify which data is sensitive according to laws, regulation and business needs.
• Dont store sensitive data unnecessarily. Data that is not retained cannot be stolen.
• Make sure to encrypt sensitive data at rest.
• Encrypt all data in transit with secure protocols like TLS
• Disable caching for responses which contain sensitive data.
• Further reading: http://cwe.mitre.org/data/definitions/312.html
7. Access Control Rules
• Divide the software into anonymous, normal, privileged, and administrative areas. Carefully map roles with data
and functionality.
• Ensure that you perform access control checks related to your business logic.
• Consider using authorization frameworks such as the JAAS Authorization Framework.
• For web applications, make sure that the access control mechanism is enforced correctly at the server side on
every page.
• Use the access control capabilities of your operating system and server environment.
• Further reading: https://cwe.mitre.org/data/definitions/285.html