Security/Reviews/CloudServices/Marketplace Payments: Difference between revisions

Security/Reviews/CloudServices/Marketplace Payments (view source)

Revision as of 19:18, 25 March 2015

1,302 bytes added , 25 March 2015

→‎Application Security Requirements: edit

Amuntner

297

edits

@@ Line 346: / Line 346: @@
 === Application Security Requirements ===
-Document individual requirements for the application here (e.g. CEF logging, captcha, etc)
+It is expected that the [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Secure Coding Guidelines] is followed but these requirements are especially important for this application.
+'''CSP'''
+Content Security Policy in blocking mode.
+'''Password Requirements'''
+*Threshold based CAPTCHA for login  Restrict password guesses without CAPTCHA to 5.
+*Blacklist top bad passwords that could be selected by a user.
+'''Account Requirements'''
+*Allow users to view last login time and IP address after authentication
+'''
+'''Coding Requirements'''
+*Session based CSRF protection (e.g. not Django cookie based CSRF protection)
+*Clickjacking (x-frame-options) and XSS protection (CSP)
+'''Other Requirements'''
+*Uploaded links must be verified against google safe browsing list (real time or daily cron)
+*Uploaded images must be strictly checked to validate only images are uploaded. [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Image_Upload More Info]
+'''SSL Requirements'''
+*SSL is required to the connection to paypal (user redirects and any backend connections)
+*The SSL cert must be strictly validated (specific code needed for backend connections)
+*HSTS must be enabled
+*No HTTP pages. Full HTTPS
+*Third party connections (e.g. twitter, facebook, paypal, etc) must link to the HTTPS page for that site. That may require rewriting the widget (twitter specifically)
 === Operation Security Requirements ===
 Document network/platform security requirements here (e.g. IDS concerns, firewall changes, system hardening reqs, etc)