Risk Assessment for the Typical E-Commerce Web Application - Secure Java: For Web Application Development

Java Reference

In-Depth Information

be enabled; even after enabling the same, however, the logs that are generated by default for a

Web application are very basic and do not encompass several other details necessary to gauge

the security events for a Web application. Logging for security in a Web application has to be

conigured through the development of the application. Techniques for implementation of

logging in a Java Web application will be covered in detail in Chapter 9. he following are the

requirements from the logging implementation of Panthera's Web application:

◾ will be generated in a syslog format.

he following details are to be logged by Panthera's e-commerce application:

Logs from Panthera's e-commerce application shall be written into the ileserver. he logs

◾

−

Invalid access attempts by all users of Panthera's e-commerce Web application

−

Access to credit card information by users. Only customers and accounting and billing

users may access credit card information (refer to the access control matrix.)

Modiication of credit card information. Only customers have access to modify/update

−

or delete the credit cards stored in Panthera's e-commerce application (refer to the access

control matrix.)

Any action taken by administrative users of the application

−

Password reset information for all users in the Panthera e-commerce application

−

he logs for Panthera's e-commerce Web application shall be conigured to capture the fol-

Application errors and exceptions

◾ lowing details:

Customer username/administrative user number

−

IP address

−

Timestamp

−

Information accessed

−

Action performed

−

Application logs should not capture the following information:

Success/failure indication

◾

−

Customer-speciic details—name, telephone, email. Customer has been provided with

Credit card information—including PAN, CVV2, or expiration date

◾ unique username for the Web site.

6.4.4 Secure Coding Practices

he adoption of secure coding practices in the Web application development process is one

of the most critical requirements for the security of the Web application in question. he

implementation of secure coding practices for the Java Web Application is covered in detail in

Chapter 10. he following secure coding practices are to be adopted for Panthera's envisaged

e-commerce application:

◾

Input validation and output encoding

◾ Error handling

Secure database access

◾

Secure Java: For Web Application Development

Search WWH ::

Custom Search

Home