Web Application Security Checklist
EZYSoft is a software developer company helping companies to transform their traditional business model to online presence. Several companies have engaged EZYSoft service to help develop a secure website based on their initial requirements.
The various companies are organized by module-groups and have different project requirements. You are to develop the initial website features based on module-group. Below are there the application requirements for Registration and Authentication. For registration, it is preferred the user’s email address is being used for the authentication.
You are tasked to create a .Net Core Web Application from scratch by implementing the recommended security features highlighted in the table shown below.
For Registration and displaying info on your homepage, please taker reference from the table below.
Company Name: Ace Job Agency (Membership Service)
Membership Registration Form should consist of the following input fields:
- First Name
- Last Name
- Gender
- NRIC (Must be encrypted)
- Email address (Must be unique)
- Password
- Confirm Password
- Date of Birth
- Resume
- Who Am I (allow all special chars)
Registration and User Data Management
- Implement successful saving of member info into the database
- Check for duplicate email addresses and handle appropriately
- Implement strong password requirements:
- Minimum 12 characters
- Combination of lowercase, uppercase, numbers, and special characters
- Provide feedback on password strength
- Implement both client-side and server-side password checks
- Encrypt sensitive user data in the database (e.g., NRIC, credit card numbers)
- Implement proper password hashing and storage
- Implement file upload restrictions (e.g., .docx, .pdf, or .jpg only)
Session Management
- Create a secure session upon successful login
- Implement session timeout
- Route to homepage/login page after session timeout
- Detect and handle multiple logins from different devices/browser tabs
Login/Logout Security
- Implement proper login functionality
- Implement rate limiting (e.g., account lockout after 3 failed login attempts)
- Perform proper and safe logout (clear session and redirect to login page)
- Implement audit logging (save user activities in the database)
- Redirect to homepage after successful login, displaying user info
Anti-Bot Protection
- Implement Google reCAPTCHA v3 service
Input Validation and Sanitization
- Prevent injection attacks (e.g., SQL injection)
- Implement Cross-Site Request Forgery (CSRF) protection
- Prevent Cross-Site Scripting (XSS) attacks
- Perform proper input sanitization, validation, and verification for all user inputs
- Implement both client-side and server-side input validation
- Display error or warning messages for improper input
- Perform proper encoding before saving data into the database
Error Handling
- Implement graceful error handling on all pages
- Create and display custom error pages (e.g., 404, 403)
Software Testing and Security Analysis
- Perform source code analysis using external tools (e.g., GitHub)
- Address security vulnerabilities identified in the source code
Advanced Security Features
- Implement automatic account recovery after lockout period
- Enforce password history (avoid password reuse, max 2 password history)
- Implement change password functionality
- Implement reset password functionality (using email link or SMS)
- Enforce minimum and maximum password age policies
- Implement Two-Factor Authentication (2FA)
General Security Best Practices
- Use HTTPS for all communications
- Implement proper access controls and authorization
- Keep all software and dependencies up to date
- Follow secure coding practices
- Regularly backup and securely store user data
- Implement logging and monitoring for security events
Documentation and Reporting
- Prepare a report on implemented security features
- Complete and submit the security checklist
Remember to test each security feature thoroughly and ensure they work as expected in your web application.