skf-git-bot[bot]
commented
5 years ago 
Security knowledge framework!
- [x] 1.0 Architecture, design and threat modelling
More information
- [x] 1.1 Verify that all application components are identified and are known to be needed
More information
identify all application components
Description:
When you are building an application you first want to map where you are placing
source files, libraries and executables.
With these components identified and mapped, it becomes transparent where possible
pitfalls might be in your application and increases the maintainability of the
system. Also, you have an indicator where possible reinforcements have to be
implemented to avoid attacks.(i.e places where your application contains executable's)
Solution:
Verify that all application components (either individual or groups of source files,
libraries, and/or executables) that are present in the application are identified.
When you identified these components you may want to map and document them in order to
have a quick reference to this infrastructure when needed.
- [x] 2.0 Authentication Verification Requirements
More information
- [x] 2.1 Verify all pages and resources by default require authentication except those specifically intended to be public
More information
Unauthorised access and modification
Description:
Throughout the development of the application there must be perpetual checks in place to check
if all pages and resources by default require authentication except those specifically intended to be public.
Sometimes developers simply forget to implement these checks, or they remove the checks
temporarily for testing purposes.
Solution:
Verify all access controls are implemented properly in order to prevent a user access data/functions which
he was not intended to use.
- [ ] 2.2 Verify all authentication controls are enforced on the server side
More information
Server side validation
Description:
Validation of user supplied input must always be enforced on the server side.
Whenever validation of the input is being perfomed on the client side then
the constraints can easilly be bypassed whenever an attacker uses an intercepting proxy
which he can use to tamper data after they have been validated and send to the server.
Or the attacker can simply change the constraint on the client side in his browser to bypass the
constraints.
Solution:
All validation of input should be handled on the server side. Whenever the validation is handled on
the server side, the validation logic is outside of the scope of the attacker and he can not influence
the results.
Note: Validation of input should never be done with a blacklisting aproach since attackers can be very
nifty in bypassing these type of constraints. Always perform white list validation checks preferably in
combination on type checking. i.e if the application expects the value to be an integer, do not make
the application accept a value of a string. This input should be logged and rejected.
as dads