It's almost a month now since Plynt was launched - the security certification standard for applications. Plynt came into existence when a handful of people got together and thought of having a certification program for web applications.

Why a certification program for web applications? Being a part of the Plynt team has helped me more in understanding why a certification is necessary and how it benefits an app. Well an app that has been certified as secure against a certification standard is more reliable and trusted. It provides an extra measure of credibility as a well-thought-out certification standard would have considered even subtle points.

And there are a lot of subtle points in the Plynt standard. Some of my favourite ones are:

• Protect secret questions from guessing attacks
• Password not stored in plain text for “Remember Me”
• Old password required before changing password
• New authentication token on log in
• No sensitive data in error messages

Here’s an example of how subtle points can be overlooked. A few days ago I was talking to a developer whose application I was about to test. Even before I could start testing, the developer said he was sure I wouldn’t find any vulnerability. The next moment, as I entered an incorrect input, there came a nice little error message with enough details to let me to break into the application. Sometimes it’s missing the small things like that which make a huge difference.

So tell us, what are the subtle things the Plynt Standard has missed?