Specific Threats for Web Environments
Administrative Interfaces
Using a web-based administrative interface is, in most opinions, a bad idea.
A bad habit that’s found even in high-security environments is hard-coding authentication credentials into the links to the management interfaces, or enabling the “remember password” option.
The simple countermeasure for this threat requires that the management interfaces be removed, but this may upset your administrators. Using a stronger authentication mechanism would be better than the standard username/password scenario. Controlling which systems are allowed to connect and administer the system is another good technique. Many systems allow specific IP addresses or network IDs to be defined that only allow administrative access from these stations.
Ultimately, the most secure management interface for a system would be one that is out-of-band, meaning a separate channel of communication is used to avoid any vulnerabilities that may exist in the environment that the system operates in.
Authentication and Access Control
Many financial organizations that provide online banking functionality have implemented multifactor authentication requirements.
A best practice is to exchange all authentication information (and all authenticated content) via a secure mechanism. This will typically mean to encrypt the credential and the channel of communication through Transport Layer Security (TLS).
剩余内容请关注本人公众号debugeeker, 链接为CISSP考试指南笔记:8.11 web安全