Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Implement Authentication Controls to Fail Securely

  
  

What to Do

Make sure authentication controls fail securely.

Why

Designing authentication to fail securely when abnormal conditions occur reduces the risk of attackers bypassing authentication by disabling it.

How

Use the following best practices to fail securely:

  1. Use generic error messages. Show generic error messages that supply the user with feedback denoting that some error happened. These messages should be written in a broad way and should not provide too much information.
  2. Use a global exception handler. Global exception handlers should catch any unforeseen exceptions that occur. These handlers are a safety net mechanism to ensure that the application does not behave in an unexpected way if an error occurs.

Catch any specific exceptions first. Use a generic error message, which ensures that no extra information is disclosed to an attacker through the error messages provided. In this specific exception handler, you could write an error message that is more specific to the error in order to help the user.

Always catch the global exception class last. This picks up any unforeseen errors and keeps your application from leaking potentially harmful information to an attacker or leaving your application in a vulnerable state.

It is always a best practice to include finally blocks with your try statements, which will ensure that the application reverts back to a secure state when the try block ends. This block will be executed regardless of whether an exception is thrown or not.

  1. Handle errors properly. Implement proper handling of the application state in error handling code by:
    • Closing all connections to databases or other systems
    • Reverting to lower privileges, if applicable
    • Closing all sensitive files
    • Logging the failure

 

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics