Difference between revisions of "Security course 30 April 2018"
From Jon's Wiki
(Created page with ";ACL: Access Control List. ;Access Control: who can access which parts of a system, by assigning permissions to roles, users to groups, and roles to groups. ;Authentication: c...") |
|||
| Line 3: | Line 3: | ||
;Authentication: confirmation of identity. | ;Authentication: confirmation of identity. | ||
;Authorisation: access control. | ;Authorisation: access control. | ||
| + | ;NZISS: New Zealand Internet Security Standard | ||
| + | |||
| + | Restrict database access to only the tables required, use a minimum of stored procedures to hide sensitive tables entirely (e.g. an AUTHENTICATE() stored procedure, and no access to the USER table. | ||
| + | |||
| + | CREATE FUNCTION AUTHENTICATE(u TEXT, p TEXT) RETURNS TABLE (username TEXT, property1, TEXT, ...) AS $$ | ||
| + | BEGIN | ||
| + | SELECT username, property1, ... FROM users WHERE username = u, password = CRYPT(p); | ||
| + | END; | ||
| + | $$ LANGUAGE plpgsql; | ||
| + | |||
| + | # Design software to use the lowest privilege level required to complete its tasks. | ||
| + | # Deny access by default. | ||
| + | # Check return values of all system calls. | ||
| + | # Validate all inputs - lengths, field types, ranges, controlled vocabularies. | ||
| + | |||
| + | == Authentication == | ||
| + | |||
| + | # User IDs - users must be unique. No shared 'office admin' accounts with naff passwords. | ||
| + | # Don't use shit passwords. Enforce minimum password complexity, use multi-factor auth, biometrics, etc. | ||
| + | # Encrypt user authentication data over the network (including database connections). | ||
| + | # Don't store passwords in clear text. | ||
| + | # Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts. | ||
| + | # Display when a user last logged in. | ||
Revision as of 22:30, 29 April 2018
- ACL
- Access Control List.
- Access Control
- who can access which parts of a system, by assigning permissions to roles, users to groups, and roles to groups.
- Authentication
- confirmation of identity.
- Authorisation
- access control.
- NZISS
- New Zealand Internet Security Standard
Restrict database access to only the tables required, use a minimum of stored procedures to hide sensitive tables entirely (e.g. an AUTHENTICATE() stored procedure, and no access to the USER table.
CREATE FUNCTION AUTHENTICATE(u TEXT, p TEXT) RETURNS TABLE (username TEXT, property1, TEXT, ...) AS $$ BEGIN SELECT username, property1, ... FROM users WHERE username = u, password = CRYPT(p); END; $$ LANGUAGE plpgsql;
- Design software to use the lowest privilege level required to complete its tasks.
- Deny access by default.
- Check return values of all system calls.
- Validate all inputs - lengths, field types, ranges, controlled vocabularies.
Authentication
- User IDs - users must be unique. No shared 'office admin' accounts with naff passwords.
- Don't use shit passwords. Enforce minimum password complexity, use multi-factor auth, biometrics, etc.
- Encrypt user authentication data over the network (including database connections).
- Don't store passwords in clear text.
- Password management policies - e.g. time-out or reset request after x attempts, lock account after y attempts.
- Display when a user last logged in.