Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.
24. QVC lost more than USD $412,000.00 when a woman discovered she could purchase items via the QVC website, immediate cancel her order, but still receive the items.
25. An attacker posing as a legitimate eBay buyer was able to purchase a computer, remove expensive components from it, then return it as "destroyed" to the seller, successfully bypassing business policy controls for eBay, Paypal and UPS. Examples from: http://projects.webappsec.org/Insufficient-Process-Validation
45. HTTP headers and meta tags to prevent caching <form … AUTOCOMPLETE="off"> - for all form fields <input … AUTOCOMPLETE="off"> - for just one field
53. Positive Authentication (fail closed) bAuthenticated := false securityRole := null try { userrecord := fetch_record(username) if userrecord[username].password != sPassword then throw noAuthentication end if if userrecord[username].locked == true then throw noAuthentication end if if userrecord[username].securityRole == null or banned then throw noAuthentication end if … other checks … bAuthenticated := true securityRole := userrecord[username].securityRole } catch { bAuthenticated := false securityRole := null // perform error handling, and stop } return bAuthenticated