Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Centralize Authentication Controls

  
  

What to Do

Centralize authentication controls.

Why

Implementing a single set of centralized authentication controls helps implement them correctly, use them correctly in the application, and manage them later on.

How

To centralize authentication controls:

  1. Identify application requirements. Consider the following aspects of authentication controls:
  • Authentication should be required for all private pages.
  • All password fields should be masked.
  • Accounts should be locked after multiple failed authentication attempts.
  • Authentication should be implemented on the server-side.
  • Authentication controls should be centralized.
  • Authentication controls should fail securely.
  • Strong authentication credentials (passwords) should be enforced.
  • Account management functions should be protected.
  • User credential (password) changing functions should be protected.
  • Re-authentication should be required for sensitive operations.
  • Authentication credentials (passwords) should expire.
  • Authentication events should be logged.
  • Authentication attempts should be throttled.
  • Passwords should be hashed and salted.
  • Authentication credentials (connection strings) for external resources should be protected.
  • Authentication with external services.
  1. Define authentication control APIs. Make the exposed APIs simple to use for developers. Define authentication APIs to satisfy all application requirements. Include functionality to authenticate with external services.
  2. Implement and document authentication controls. Implement and document authentication APIs to satisfy all application requirements.
  3. Use authentication controls in the application. Developers should use the centralized authentication controls whenever authentication is necessary.

Additional Resources

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics