The subtler points of Plynt

By Paladion

March 30, 2006

It's almost a month now since Plynt was launched - the security certification standard for applications. Plynt came into existence when a handful of people got together and thought of having a certification program for web applications.

Why a certification program for web applications? Being a part of the Plynt team has helped me more in understanding why a certification is necessary and how it benefits an app. Well an app that has been certified as secure against a certification standard is more reliable and trusted. It provides an extra measure of credibility as a well-thought-out certification standard would have considered even subtle points.

And there are a lot of subtle points in the Plynt standard. Some of my favourite ones are:

  • Protect secret questions from guessing attacks
  • Password not stored in plain text for “Remember Me”
  • Old password required before changing password
  • New authentication token on log in
  • No sensitive data in error messages

Here’s an example of how subtle points can be overlooked. A few days ago I was talking to a developer whose application I was about to test. Even before I could start testing, the developer said he was sure I wouldn’t find any vulnerability. The next moment, as I entered an incorrect input, there came a nice little error message with enough details to let me to break into the application. Sometimes it’s missing the small things like that which make a huge difference.

So tell us, what are the subtle things the Plynt Standard has missed?

Tags: Uncategorized