- Definition: Confidentiality means that sensitive information should not be readable by unauthorized persons. For a part, confidentiality can be achieved by authentication and authorization. In this chapter, we discuss other confidentiality measures you can take to keep private information private.
- Remediation: SSL + Cryptography, browser settings: disable browser features, directory listing on web-server, cached data + cookies.
- Definition: Integrity means that data should not be able to be changed during data transmission. If data is tampered with, this should be detected.
- Remediation: SSL + Cryptography.
- Definition: Authentication means we should assure that only legitimate persons are able to access the application. During authentication, the identity of a user is established, and his credentials are checked.
- Remediation: Authentication + Access Control, caching authentication tokens, account locked out after retries, hard-coded credentials in code, difficult and encrypted session ID’s, limit number of sessions, session timeout, no default passwords, secure kept open channels, secure administrative interfaces, apply patches, secure DB connections.
- Definition: Authorization means we should control access to application resources by authenticated users or code.
- Remediation: Code-access security, role based security, secured DB accounts, secure DB admins to avoid direct data manipulation bypassing the system.
- Definition: Non-repudiation, in its simplest form, means that proof should be provided about the fact that a certain message has been sent by a certain party. Non-repudiation of this kind can be obtained by using cryptography: digital signatures assure that a certain message is sent by the owner of a certain private key, and that the message has not been tampered with.
- Remediation: SSL + Cryptography
- Definition: Availability means that we should prevent attacks that try to make the application unavailable for legitimate users of the application.
- Remediation: Input Validation, HTTP request validation, input length validation, unsupported characters, character set validation.
More details in the following overview slide deck: