This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Consumer Best Practices"
From OWASP
(→Weak Password Handling) |
(→Running Unnecessary Software or Services) |
||
| Line 57: | Line 57: | ||
==Running Unnecessary Software or Services== | ==Running Unnecessary Software or Services== | ||
| − | * | + | * Do not install unneeded software |
* Remove software not in use | * Remove software not in use | ||
* Do not enable services you don't use | * Do not enable services you don't use | ||
Revision as of 06:37, 14 June 2016
- 1 Potential OWASP Consumer Top Ten
- 1.1 Weak Password Handling
- 1.2 Information Disclosure/Sensitive Data Exposure
- 1.3 Trusting Untrusted Sources
- 1.4 Lack of Proper Encryption in Transit
- 1.5 Lack of Proper Encryption at Rest
- 1.6 Using Components with Known Vulnerabilities
- 1.7 Lack of Secure Configuration
- 1.8 Running Unnecessary Software or Services
- 1.9 Poor Physical Security
- 1.10 Lack of Proper Defense
Potential OWASP Consumer Top Ten
Safe practices for consumers on the web.
TODO:
- Needs a proper order
- Approve format
Weak Password Handling
Description: Passwords are the most common way in which application and services allow us to authenticate ourselves. We authenticate by providing something known only to us to the system, therefore proving we are who we have identified ourselves as....
Threats: Easy to guess passwords allow...
Impact: Weak password handling can result...
Recommendations:
- Use Multi-factor Authentication, especially on important accounts
- Use a Password Manager
- Use Strong Passwords
- Avoid using the same password across different accounts
- Do not answer security questions with easily identifiable or enumerable answers
- Do not allow browsers to store passwords
- Do not share your passwords
Information Disclosure/Sensitive Data Exposure
- Social Media
- Pictures
- Giving information away
Trusting Untrusted Sources
- Untrusted Sources
- Untrusted WiFi, computers, or email
- Downloading files from untrusted sources
- Clicking on links from unknown or unverified sources
- Review credit reports
- Review unknown uses of online accounts
- Subscribe to a credit monitoring service
- Freeze credit
Lack of Proper Encryption in Transit
- Do Not Ignore SSL Warnings
- Use Encryption
Lack of Proper Encryption at Rest
- Encrypt PII
- Don't store sensitive information unencrypted
Using Components with Known Vulnerabilities
- Patch
Lack of Secure Configuration
- Configure application settings for security
- Do not configure devices to automatically connect to wifi access points
Running Unnecessary Software or Services
- Do not install unneeded software
- Remove software not in use
- Do not enable services you don't use
Poor Physical Security
- Encrypt devices and drives
- Do not leave mobile devices unattended
- Use an inactivity lockout
- Password protect all devices
Lack of Proper Defense
- Use Personal Firewalls
- Properly Secure Wireless Access Points
- Use Intrusion Detection Services
- Use anti-virus
- Backup important data
- Learn to recognize threats?
