Risk A2 in OWASP - Authentication loss and session management.

Author
By Darío Rivera
Posted On in OWASP
Spanish

In our post What is OWASP and why every developer should know it we saw an introduction to OWASP and why it is so important in web application development. Within the TOP TEN project, we will delve a little deeper into each of the ten most critical security risks in web applications. Today it is the turn of Risk A2 - Loss of authentication and session management.

Definition

This risk refers to the management of session and authentication information by the web application. All users, passwords and session identifiers must be properly protected.

Examples

- A login that can be brute-forced through a data dictionary.
- A login that can be bypassed through SQL injection.
- Session identifier theft through a sniffer.

Prevention

- Implement a multifactor authentication such as OTP (One time password).
- Do not use default passwords in applications (e.g.: admin, password, 123456, ...)
- Implement recommended password policies that comply with the NIST guide.
- Ensure secure credential management mechanisms such as password recovery.
- Limit the response time of failed authentication attempts. Record each failed attempt and alert administrators to a possible brute-force attack.

Acerca de Darío Rivera

Author

Application Architect at Elentra Corp . Quality developer and passionate learner with 10+ years of experience in web technologies. Creator of EasyHttp , an standard way to consume HTTP Clients.

LinkedIn Twitter Instagram

Sólo aquellos que han alcanzado el éxito saben que siempre estuvo a un paso del momento en que pensaron renunciar.

Categories