It's almost a month now since Plynt was launched - the security certification standard for applications. Plynt came into existence when a handful of people got together and thought of having a certification program for web applications.
Why a certification program for web applications? Being a part of the Plynt team has helped me more in understanding why a certification is necessary and how it benefits an app. Well an app that has been certified as secure against a certification standard is more reliable and trusted. It provides an extra measure of credibility as a well-thought-out certification standard would have considered even subtle points.
And there are a lot of subtle points in the Plynt standard. Some of my favourite ones are:
Protect secret questions from guessing attacks
Password not stored in plain text for “Remember Me”
Old password required before changing password
New authentication token on log in
No sensitive data in error messages
Here’s an example of how subtle points can be overlooked. A few days ago I was talking to a developer whose application I was about to test. Even before I could start testing, the developer said he was sure I wouldn’t find any vulnerability. The next moment, as I entered an incorrect input, there came a nice little error message with enough details to let me to break into the application. Sometimes it’s missing the small things like that which make a huge difference.
So tell us, what are the subtle things the Plynt Standard has missed?