[Owasp-alabama] using SESSION Vars to store sensitive data...

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Jun 21 16:38:24 EDT 2011


On Jun 21, 2011, at 3:16 PM, owasp-alabama at lists.owasp.org wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On Jun 21, 2011, at 2:59 PM, owasp-alabama at lists.owasp.org wrote:
> 
>> anyway, we are back to cleartext storage of the credentials in the DB now...  I understand that since its a limited service account its not "that much" of a risk, but if i store that, then im bound to get a dozen "how do you protect it?" questions..  You would ask wouldn't you? ;-)
> 
> I would respond with this is a limited account and we are conforming to a least privilege access model. 

thats a good response, yes...

> I would also put in a mandatory expiration period which is internal to the app versus relying on AD to force expiration. 

mandatory from what perspective?  when the account is written to the settings of the system its timestamped (in whatever way) and if its NOW > TIMESTAMP + EXP it fails to work?

Chris



> 
> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850      | | o. 866.267.8851 
> "Moments of sorrow are moments of sobriety"
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iD8DBQFOAPwylZy1vkUrR4MRAgMiAJ47LEWXkLwBJsWtgblvW1cae9VbbQCfX27k
> L1JTdCzuiE2lZ1jrP+IibHo=
> =Kq3B
> -----END PGP SIGNATURE-----
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama



More information about the Owasp-alabama mailing list