It's almost a month now since Plynt was launched - the security certification standard for applications. Plynt came into existence when a handful of people got together and thought of having a certification program for web applications.
Why a certification program for web applications? Being a part of the Plynt team has helped me more in understanding why a certification is necessary and how it benefits an app. Well an app that has been certified as secure against a certification standard is more reliable and trusted. It provides an extra measure of credibility as a well-thought-out certification standard would have considered even subtle points.
And there are a lot of subtle points in the Plynt standard. Some of my favourite ones are:
- Protect secret questions from guessing attacks
- Password not stored in plain text for “Remember Me”
- Old password required before changing password
- New authentication token on log in
- No sensitive data in error messages
Here’s an example of how subtle points can be overlooked. A few days ago I was talking to a developer whose application I was about to test. Even before I could start testing, the developer said he was sure I wouldn’t find any vulnerability. The next moment, as I entered an incorrect input, there came a nice little error message with enough details to let me to break into the application. Sometimes it’s missing the small things like that which make a huge difference.
So tell us, what are the subtle things the Plynt Standard has missed?
Tags: Uncategorized