Application Data Security

The application will employ all standard and reasonable mechanisms to protect against known exploits against data driven Web applications. These mechanisms include

Parameter Binding

  1. All database interfaces will use strongly typed bound parameters for all database transactions that require variable input.
  2. SQL statements dynamically created from text strings received as user input will never be employed under any circumstances

Strong Passwords

Passwords will be:
  1. case-sensitive
  2. 8 chars minimum
  3. Contain mixed case and number
  4. not reusable
  5. salted and hashed before being written to DB

SSL Encryption

  1. All traffic to the application will be encrypted using SSL.
  2. The application will not respond to any requests over plain HTTP

File System

  1. All application configurations will be maintained in files unavailable to end users but accessible to the web pages that rely on them.
  2. File system permissions and any related HTTP server configurations will be used to restrict access to only the appropriate content
  3. Directory listings will be disabled.

Data Privacy

  1. Access to personal information should not be available to system users unless it is required to perform their tasks.
  2. The system shall restrict access to personal data through the use of System Roles
  3. Group coordinators/leaders shall only see the personal data of people in the groups that have access to.
  4. Membership Coordinators can see the personal data of anyone in the system
  5. Inventory Coordinators can see the personal data of anyone in the system

-- JimReed - 08 Jul 2012

This topic: OCF > WebHome > OCFIT > OCFWebApp > DataSecurity
Topic revision: 2012 Oct 24, AdminUser
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback