Java Reference
In-Depth Information
table 4.3
Security Requirements in Panthera's RFP
Security
Requirement
Description
User
authentication
and
authorization
management
The e-commerce application should implement authentication and
authorization mechanisms based on a business “need-to-know.” a The
application should facilitate a single-authentication mechanism, which
utilizes complex passwords, session timeouts, password expiration,
password resets, and password history. These requirements apply to
administrative users of the application as well.
The e-commerce application should implement strong session
management and should protect user sessions from being hijacked or
stolen.
The application should enforce a strong authorization mechanism, where
only authenticated users who are authorized to view certain pages of the
application or perform certain actions are able to do so. This authorization
mechanism, for administrative users, must be based on their role.
The e-commerce application should be conigured to work with
encryption mechanisms for transmission over the Internet. The
application should facilitate the use of HTTPS (SSL/TLS). b
Data protection
functionality
The e-commerce application must facilitate the storage of credit card
information of customers and other user information and consequently
must facilitate the secure storage of the said data.
The e-commerce application must be designed to protect the gift card
numbers, which are stored in the database. Gift card numbers are used
by customers to purchase items in Panthera's online store.
User passwords stored in the database must be protected against
disclosure.
The e-commerce application should also be created to facilitate the use
of encryption key management practices.
Secure coding
practices
The e-commerce application needs to be developed with the latest
industry-standard best practices for secure coding practices utilized for
developing the e-commerce application.
Logging and log
management
The e-commerce application must be developed with a comprehensive
logging capability. The application should log all critical and essential
details like user logins, invalid login attempts, password resets,
administrative activities, access to user information, and inventory
information. The logs must provide the necessary information like time
and date, user information, success/failure indication, and data or
component accessed.
The application should also provide logging information about
application errors and exceptions.
a Need-to-know is a concept where information is only provided for individuals or roles based
on their need to know (or access) that information. This is also known as the concept of least-
privilege, which is deined as the feature of a system in which operations are granted the least
permission possible to perform their tasks.
b HTTPS or hypertext transfer protocol secure is an encrypted HTTP link that is facilitated by a
server-side secure sockets layer (SSL) or transport layer security (TLS) certiicate.
Search WWH ::




Custom Search