Java Reference
In-Depth Information
be enabled; even after enabling the same, however, the logs that are generated by default for a
Web application are very basic and do not encompass several other details necessary to gauge
the security events for a Web application. Logging for security in a Web application has to be
conigured through the development of the application. Techniques for implementation of
logging in a Java Web application will be covered in detail in Chapter 9. he following are the
requirements from the logging implementation of Panthera's Web application:
◾
will be generated in a syslog format.
he following details are to be logged by Panthera's e-commerce application:
Logs from Panthera's e-commerce application shall be written into the ileserver. he logs
◾
−
Invalid access attempts by all users of Panthera's e-commerce Web application
−
Access to credit card information by users. Only customers and accounting and billing
users may access credit card information (refer to the access control matrix.)
Modiication of credit card information. Only customers have access to modify/update
−
or delete the credit cards stored in Panthera's e-commerce application (refer to the access
control matrix.)
Any action taken by administrative users of the application
−
−
Password reset information for all users in the Panthera e-commerce application
−
he logs for Panthera's e-commerce Web application shall be conigured to capture the fol-
Application errors and exceptions
◾
lowing details:
Customer username/administrative user number
−
−
IP address
−
Timestamp
−
Information accessed
−
Action performed
−
Application logs should not capture the following information:
Success/failure indication
◾
−
Customer-speciic details—name, telephone, email. Customer has been provided with
Credit card information—including PAN, CVV2, or expiration date
◾
unique username for the Web site.
6.4.4 Secure Coding Practices
he adoption of secure coding practices in the Web application development process is one
of the most critical requirements for the security of the Web application in question. he
implementation of secure coding practices for the Java Web Application is covered in detail in
Chapter 10. he following secure coding practices are to be adopted for Panthera's envisaged
e-commerce application:
◾
Input validation and output encoding
◾
Error handling
Secure database access
◾
Search WWH ::
Custom Search