I do not know if its the right forum or not for my post so forgive my ignorance. I need to develop a Web Application to access some sensitive data. What possible security features should I implement in my application. Right now I can only think of the following 2.
provide access for Authenticated users with username and encrypted passwords.
Keep a record of the IPs of users accessing the sensitive data.
Fawad Ali wrote:What possible security features should I implement in my application.
A couple of others off the top of my head:
3. Use certificates. Thawte and Verisign work on pretty well all browsers, but you have to pay for them and they will require a pre-audit. There are free ones around, but acceptance is patchy (or used to be). Thawte used to be a lot cheaper, but it's been quite a while since I did that stuff, so you might want to read up on it.
4. Use HTTPS and/or SSL for everything sensitive (and if you don't know what's sensitive and what isn't, assume it's ALL sensitive ).
Tip from an old secAdmin: There are two basic paradigms for security:
1. That which is not specifically allowed is denied.
2. That which is not specifically denied is allowed.
The first won't win you any friends, and may have a few teething troubles, but is MUCH easier to administer - and SAFER.
The latter is much nicer for your users, but you'll feel like the boy with his finger in the dyke.
Isn't it funny how there's always time and money enough to do it WRONG?
Articles by Winston can be found here
Dont know whether this is exact place to post my questions or not, but my problem is quite serious so hope to get some good answers from the expert. My question is as :-
Is there way to check via Java/JSP if my self-signed certificate is installed in my browser or not?