nta-logo

The Information Security Specialists

Security Tips

Information and advice to avoid the top security risks found by NTA Monitor during testing in 2010.

  1. SQL injection: to address SQL issues, it is important that all user input is parameterised (where possible). Most databases and languages support parameterised queries (i.e. PREPARE for MySQL? and PreparedStatement? for Java). If prepared statements are not possible, it is important that all META characters (i.e. single quote) input be sanitised before being allowed to pass to the backend database (i.e. htmlspecialchars with ENT_QUOTES for PHP).
  2. Patch management: it is recommended that systems are updated with the latest service pack and patches. It is also suggested that a patch management policy to update IT systems on a frequent basis is implemented.
  3. Cross-site scripting: to avoid XSS, all areas of an application must be checked and sanitised against invalid character input where user input is required. All Meta characters and HTML tags (i.e. < >) should be restricted where possible before allowing it to the backend.
  4. Cross-site request forgery: switching from a persistent authentication method (e.g. a cookie or http authentication) to a transient authentication method (e.g. a hidden field provided on every form) will help prevent CSRF attacks. A similar approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. Contrary to popular belief, using POST instead of GET does not offer sufficient protection. JavaScript can be used to forge POST requests with ease. But, requests that perform an action should always use POST. It is therefore recommended that a random token be applied to each form to provide form-based security and to prevent rogue form submission.
  5. Password issues: tighter restrictions must be placed on password length and more stringent controls on what users can choose as their password needs to be applied. This will help users protect their account more effectively. It would also be beneficial to provide some online documentation on choosing secure passwords. In addition, characters allowed in the password and all other fields submitted using web forms should be reviewed, taking care to filter out any characters, which may cause back-end systems to execute unwanted commands.
  6. Denial of Service (DoS Apache): if web servers are running a version of Apache Web Server that is vulnerable to a denial of service, appropriate patches should be applied or servers upgraded to the latest version.
  7. No account lockout mechanism: it is recommended locking accounts out after around three consecutive failed logon attempts. This will prevent attackers from being able to brute force accounts. To avoid locking an account out indefinitely, best practice is to lock a user out for a substantial amount of time e.g. between 30 mins and two hours after three incorrect attempts. There is a good chance that this won't affect the user, but will certainly hamper an attacker's progress.
  8. Static session ID is used before and after authentication: it is recommended that an old session ID is expired and a new session ID is issued after successful authentication.
  9. No, or weak, encryption: access to sensitive or confidential information should only be allowed over SSL. It is particularly important to ensure login form details are submitted to an HTTPS URL.
English French German Italian Portuguese Russian Spanish
Call us now on
01634 721855

Latest News

I wish to highlight the outstanding work that your consultant undertook whilst doing the ICT Health Check for the Council.


View all Testimonials

Particularly notable was the level of technical knowledge displayed by NTA’s consultants, and we were also impressed that they were willing to share this knowledge with the network team.


View all Testimonials

We have found NTA to be an excellent supplier, offering a very good service at a competitive price. A key differentiator is that they are happy to answer any questions...


View all Testimonials

I have found NTA to be an approachable knowledgeable partner, and have no hesitation in recommending their services.


View all Testimonials

The NTA testing programme was a success on all fronts.


View all Testimonials

The quality of both the initial work and follow-up advice and guidance was excellent, and NTA provided full lifecycle support to the development and delivery of our Online Services portfolio.


View all Testimonials

On one occasion our third-party did not believe the vulnerability was an issue - having had their software tested by another well-known security testing company - and NTA Monitor were...


View all Testimonials

NTA Monitor are very supportive, especially regarding general questions about Information Security issues such as hacking and vulnerabilities.


View all Testimonials

NTA Monitor has been a trusted supplier for a number of years and we have found them to be approachable, helpful and understanding of our needs relating to information security.


View all Testimonials