Java Reference
In-Depth Information
table 6.6
Low-Severity threat Models for threat Proile
Exploit
Possible Vulnerabilities
Severity of Exploit
The attacker in the user's
network may also be able to
intercept network trafic
carrying user credentials for
the application.
Lack of encryption for data
being transmitted—In the
absence of an encryption
mechanism, user credential
information transmitted over
the Internet may be
captured by an attacker.
Low—A few users will be
affected by this attack as this
is not an attack that can
compromise several user
accounts. The attacker needs
to capture unencrypted
network trafic, being part of
the same network as the
user.
need to have access to the reporting portion of the application and therefore will have no privileges
to view/alter any other data in the system.
◾
Access to Panthera's e-commerce Web application will be based on a role-based access con-
trol system.
Authorization to the system will be provisioned based on the access control matrix. Certain
◾
URLs for key actions shall be restricted to users with privileges to access the said resource.
All users, including shoppers in the e-commerce application, will be identiied with a unique
◾
username and strong password.
6.4.1.2 Password Management and Policy
he following functionality shall be implemented as part of the password policy implemented for
the Web application:
◾
Password strength for Panthera's e-commerce Web application will be a minimum of eight
characters containing alphanumeric and special characters. his password strength require-
ment shall be enforced across all users in the Web application.
Administrative users of the application will be forced to change passwords once every 30
◾
days or earlier.
Accounts of e-commerce shoppers will be locked out after six continuous invalid login attempts.
◾
Accounts of administrative users will be locked out after three invalid login attempts.
Password resets of e-commerce application clients may be performed by answering the pass-
◾
word validation question, at the successful completion of which a new password is generated
and sent to the user's registered email account. he user has to activate the account with
the new password within the next 24 hours. At the failure of these processes, the user must
contact the user management team at Panthera to reset the user credentials, post-veriication
by the user management team. he user must immediately change the temporary password
upon initial login with the same.
Accounts of administrative users of the Panthera e-commerce Web application may only be
◾
reset by the application superadministrator.
he administrative users of the Panthera e-commerce application may not use the passwords
◾
used on the previous ive occasions.
Search WWH ::
Custom Search