Freigeben über


Security Frame

The Security Frame helps you organize and prioritize security knowledge.

Category Key Considerations
Auditing and Logging Who did what and when? Auditing and logging refer to how your application records security-related events.
Authentication Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization What can you do? Authorization is how your application provides access controls for resources and operations.
Configuration Management Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
Cryptography How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
Exception Management When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Input and Data Validation How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. Consider constraining input through entry points and encoding output through exit points. Do you trust data from sources such as databases and file shares?
Sensitive Data How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
Session Management How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.

The categories in the frame are a prioritized set of technology-agnostic common denominators that are pervasive across applications. You can use the categories to build evaluation criteria where security decisions can have a large impact.

More Information

My Related Posts

Comments

  • Anonymous
    July 16, 2007
    Inspections are among my favorite tools for improving security. I like them because they’re so effective

  • Anonymous
    August 27, 2007
    The Performance Frame helps you organize and prioritize performance knowledge. Categories Category Key

  • Anonymous
    August 27, 2007
    The performance and scalability frame to help you organize and prioritize performance and scalability

  • Anonymous
    December 19, 2007
    This is an oldie but a goodie. Alex (from our original team) walks through our patterns & practices

  • Anonymous
    January 24, 2008
    How to streamline the process of capturing security flaws during security code review? How to save time

  • Anonymous
    January 24, 2008
    How to streamline the process of capturing security flaws during security code review? How to save time

  • Anonymous
    April 07, 2008
    If you know the underlying principles for security, you can be more effective in your security design.