Page 1394 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1394

actions, and that their session is securely tracked from start to finish.

               The level of authentication required by an application should be tied
               directly to the level of sensitivity of that application. For example, if an

               application provides a user with access to sensitive information or
               allows the user to perform business-critical applications, it should
               require the use of strong multifactor authentication.

               In most cases, developers should seek to integrate their applications
               with the organization’s existing authentication systems. It is generally
               more secure to make use of an existing, hardened authentication
               system than to try to develop an authentication system for a specific

               application. If this is not possible, consider using externally developed
               and validated authentication libraries.

               Similarly, developers should use established methods for session
               management. This includes ensuring that any cookies used for web
               session management be transmitted only over secure, encrypted
               channels and that the identifiers used in those cookies should be long

               and randomly generated. Session tokens should expire after a
               specified period of time and require that the user reauthenticate.

               Error Handling Developers love detailed error messages. The in-
               depth information returned in those errors is crucial to debugging
               code and makes it easier for technical staff to diagnose problems
               experienced by users.

               However, those error messages may also expose sensitive internal

               information to attackers, including the structure of database tables,
               the addresses of internal servers, and other data that may be useful in
               reconnaissance efforts that precede an attack. Therefore, developers
               should disable detailed error messages (also known as debugging
               mode) on any servers and applications that are publicly accessible.

               Logging While user-facing detailed error messages may present a
               security threat, the information that those messages contain are quite

               useful, not only to developers but also to cybersecurity analysts.
               Therefore, applications should be configured to send detailed logging
               of errors and other security events to a centralized log repository.

               The Open Web Application Security Project (OWASP) Secure Coding
   1389   1390   1391   1392   1393   1394   1395   1396   1397   1398   1399