The Open Worldwide Application Security Project
Resources
- The Open Worldwide Application Security Project
- OWASP Top Ten
- Slides from SSE: OWASP Top 10 Pt. 1 and OWASP Top 10 Pt. 2
OWASP Guidelines for Password
- Provide as little information as possible (return consistent message for both existent and non-existent accounts).
- Use side channel for recovery.
- User confirms password by writing it twice.
- Protection against automated submission
- Don’t use security questions
Guidelines to Authentication and Session Management
Multi-Factory Authentication (MFA)
- Possession: Something you have.
- Knowledge: Something you know.
- Being: Something you are.