This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Consumer Best Practices"

From OWASP
Jump to: navigation, search
(Trusting Untrusted Sources)
Line 29: Line 29:
 
==Trusting Untrusted Sources==
 
==Trusting Untrusted Sources==
 
* Untrusted Sources
 
* Untrusted Sources
* WiFi
+
* Untrusted WiFi or computers
 
* Downloading files from untrusted sources
 
* Downloading files from untrusted sources
 
* Clicking on links from unknown or unverified sources
 
* Clicking on links from unknown or unverified sources

Revision as of 05:19, 14 June 2016

Potential OWASP Consumer Top Ten

Safe practices for consumers on the web.

Weak password handling

Description: Passwords are the most common way in which application and services allow us to authenticate ourselves. We authenticate by providing something known only to us to the system, therefore proving we are who we have identified ourselves as....

Threats: Easy to guess passwords allow...

Impact: Weak password handling can result...

Recommendations:

  • Use Multi-factor Authentication, especially on important accounts
  • Use a Password Manager
  • Use Strong Passwords
  • Avoid using the same password across different accounts
  • Do not answer security questions with easily identifiable or enumerable answers
  • Don't allow browsers to store passwords
  • Do not share your passwords

Information Disclosure/Sensitive Data Exposure

  • Social Media
  • Pictures
  • Giving information away

Trusting Untrusted Sources

  • Untrusted Sources
  • Untrusted WiFi or computers
  • Downloading files from untrusted sources
  • Clicking on links from unknown or unverified sources
  • Review credit reports
  • Review unknown uses of online accounts
  • Subscribe to a credit monitoring service
  • Freeze credit

Lack of Proper Encryption in Transit

  • Do Not Ignore SSL Warnings
  • Use Encryption

Lack of Proper Encryption at Rest

  • Encrypt PII
  • Don't store sensitive information unencrypted

Using Components with Known Vulnerabilities (Should configuration and patching be 2 separate?)

  • Patch
  • Configure application settings for security
  • Do not configure devices to automatically connect to wifi access points

Running Unnecessary Software or Services

  • Don't install unneeded software
  • Remove software not in use
  • Do not enable services you don't use

Poor Physical Security

  • Encrypt devices and drives
  • Do not leave mobile devices unattended
  • Use an inactivity lockout
  • Password protect all devices

Lack of Proper Protection for Personal Devices and Network

  • Use Personal Firewalls
  • Properly Secure Wireless Access Points
  • Use Intrusion Detection Services
  • Use anti-virus
  • Learn to recognize threats?