Secure Coding Practices, Part 2: Authentication

by Steven McElwee, CISSP

When considering secure coding practices and security code reviews, one of the most important things to look for is effective authentication. Authentication in applications controls user and system access. Without a complete authentication solution, there will be opportunities for an attacker to find ways to obtain unauthorized system privileges.

Here are some of the most important questions when evaluating authentication in applications:

• Does each web request validate authentication?
• Are credentials presented securely (i.e. using SSL, not using the GET method)?
• Are passwords stored in an encrypted or hashed format?
• Is password complexity enforced, including minimum length, non-guessable words, special characters, numbers?
• Do user credentials expire after a period of time?
• Are standards used for authentication and identity management (i.e. SAML, WS-Security, LDAP, NTLM, Kerberos)?
• Are user accounts locked after a certain number of failed authentication attempts?

If the answer to any of these questions is "no" then there is risk that authentication may be compromised. Risks in several of these areas may have been found in the requirements and design of the application. It is still important to verify that they have been implemented correctly when coded.

Discuss these questions with software engineers. Document them as part of your secure coding practices, and verify them when you perform a security code review.