[Global_industry_committee] [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management

Jeff Williams jeff.williams at owasp.org
Thu May 21 12:26:53 EDT 2009


Could someone compare what's in the NIST pub to what is required in the
OWASP ASVS sections on Authentication and Session Management?

Thanks,

--Jeff


> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> bounces at lists.owasp.org] On Behalf Of David Campbell
> Sent: Wednesday, May 20, 2009 5:28 PM
> To: Eoin
> Cc: owasp-leaders at lists.owasp.org;
> Global_industry_committee at lists.owasp.org
> Subject: Re: [Owasp-leaders] [Global_industry_committee] Draft NIST
> Special Publication 800-118 Guide to Enterprise Password Management
> 
> also, obviously, make sure the logout button destroys the cookie server
> side
> 
> DC
> 
> 
> Eoin wrote:
> > hi Colin, am reviewing the response,
> >
> > 3.1.2 Password Capturing : Transmission
> >
> > Regarding: "Web applications should guard against replay attacks by
> > careful design of session management, the provision of a robust
> logout
> > mechanism, inclusion of a log out link or button in every view and
> > content anti-caching measures."
> >
> > My 10 cent:
> > regarding replay attacks the fundamental control to prevent such
> > attacks is privacy of the data  in transit. Saying careful session
> > management does not really give one guidance? The addition of
> entropy,
> > secret key, salt is also a good approach for transmission of
> passwords
> > over a non encrypted tunnel. Message hashing (with salt) which
> include
> > a nonce also helps prevent replay.
> >
> > 3.1.3 Password Capturing : User Knowledge and Behavior
> > May be good to add "out of band" informational functionality. If an
> > event occurs in an account the account owner is informed of the event
> > via out-of-band means (mobile phone sms, email, snail mail) - this
> may
> > only be applicable for enterprise apps,  but thats is where the money
> > is :0) (This may be a runner since you mention out-of-band in 3.3.1)
> >
> > 3.2.1 Password Guessing and Cracking : Guessing
> > Can we add something on reverse brute force (same password but cycle
> > through user Id's)
> >
> > 3.4 Using Compromised Passwords
> > "Least privilege" is the word I would use there.
> >
> >
> >
> >
> > the inclusion of the logout button on every page which requires
> > authentication is more accurate.
> >
> >
> >
> >
> >
> > 2009/5/20 Colin Watson <colin.watson at owasp.org
> > <mailto:colin.watson at owasp.org>>
> >
> >     Jeff
> >
> >     Thanks for the helpful tips on presenting our views, especially
> for
> >     making the case why OWASP's input is important.... and hopefully
> >     compelling.
> >
> >     Regards
> >
> >     Colin
> >     _______________________________________________
> >     Global_industry_committee mailing list
> >     Global_industry_committee at lists.owasp.org
> >     <mailto:Global_industry_committee at lists.owasp.org>
> >
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >
> >
> >
> >
> > --
> > Eoin Keary CISSP CISA
> > https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
> >
> > OWASP Code Review Guide Lead Author
> > OWASP Ireland Chapter Lead
> > OWASP Global Committee Member (Industry)
> >
> > Quis custodiet ipsos custodes
> > ---------------------------------------------------------------------
> ---
> >
> > _______________________________________________
> > Global_industry_committee mailing list
> > Global_industry_committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the Global_industry_committee mailing list