Filter
-
Content Type
-
Category
Mobile/Wearable
Visual Display
Digital Appliance
Platform
Recommendations
Filter
featured ai, mobile
blognote: this article assumes that you have prior knowledge about machine learning. if you have any questions, please post them in the samsung neural forum. the development of machine learning has revolutionized the technology industry by bringing human-like decision making to compact devices. from health care to real estate, finance, and computer vision, machine learning has penetrated almost every field. today, many businesses deploy machine learning to gain a competitive edge for their products and services. one of the fastest-growing machine learning areas is deep neural networks (dnn), also known as artificial intelligence (ai), which is inspired by the neural interactions in the human brain. with the ai industry growing so quickly, it is not only difficult to be up-to-date with the latest innovations, but even more so to deploy those developments in your business or application. as ai technology paves its way into the mobile industry, one wonders: what can be achieved with the limited capacity of mobile embedded devices? how does one execute dnn models on mobile devices, and what are the implications of running a computationally intensive model on a low resource device? how does it affect the user experience? typically, a deep neural network is developed on a resource-rich gpu farm or server, where it is designed and then trained with a specific data set. this pre-trained dnn model is then ready to be deployed in an environment, such as a mobile device, to generate output. a pre-trained dnn model can easily be used to develop an ai-based application that brings completely unique user experiences to mobile devices. a variety of pre-trained models, such as inception, resnet, and mobilenet are available in the open source community. the samsung neural sdk is samsung’s in-house inference engine which efficiently executes a pre-trained dnn model on samsung mobile devices. it is a one-stop solution for all application and dnn model developers who want to develop ai-based applications for samsung mobile devices. to simplify the process of deploying applications that exploit neural network technology, the samsung neural sdk supports the leading dnn model formats, such as caffe, tensorflow, tflite, and onnx, while enabling you to select between the available compute units on the device, such as the cpu, gpu, or ai processor.1 the samsung neural sdk enables easy, efficient and secure execution of pre-trained dnn models on samsung mobile devices, irrespective of the constraints posed by hardware such as compute unit capability, memory configuration and power limitations. samsung neural stack features the samsung neural sdk provides simple apis that enable you to easily deploy on-device pre-trained or custom neural networks. the sdk is designed to accelerate the machine learning models in order to improve performance and optimize hardware utilization, balancing performance and latency with memory use and power consumption. the samsung neural sdk supports mixed precision formats (fp32/fp16 and int8), and provides a great variety of operations that enable you to experiment with different models and architectures to find what works best for your use case. it also employs industry-standard cryptographic encryption methods for neural network models, to protect your intellectual property. the samsung neural sdk includes complete api documentation for your ready reference. it describes all the optimization tools and supported operations, provides code examples, and more. sample benchmarking code included with the samsung neural sdk the accompanying sample benchmarking code helps you understand how to use the api methods and demonstrates the available features and configurations, such as selecting a compute unit and execution data type. the samsung neural sdk can be used in a wide range of applications that utilize deep neural networks and improves their performance on samsung mobile devices. it has already been applied to many use cases and we look forward to supporting your application idea. are you interested in using samsung neural sdk? visit samsung neural sdk to learn more about becoming a partner today. partners gain access to the sdk and technical content such as developer tips and sample code. if you have questions about the samsung neural sdk, email us at sdk.neural@samsung.com. [1] ai processors include neural processing units (npu) and digital signal processors (dsp). the samsung neural sdk currently supports only the caffe and tensorflow formats.
Samsung Neural Team
Develop Smart Signage
docapplication security this topic describe the security of applications which run on samsung devices related info web security testing guide owasp secure software development lifecycle microsoft security development lifecycle sdl cwe list version 4 6 overview security is becoming an important issue with the increase of various smart devices in order to protect data from users and businesses, samsung devices are enhancing security in several layers, from hardware to software as samsung device applications are also software driven by samsung, the security needs to be taken into account samsung device applications can store important information such as code and key values and personal information of the user, which is an important resource that must be protected these resources can be leaked due to a variety of reasons, such as a simple mistake by a developer or hacking by an attacker in order to safeguard this, samsung device applications need to be developed according to secure by design in particular, the personal information of the user should comply with the policy related to the personal information for each country secure by design all software within the devices developed by samsung are based on the secure development lifecycle sdl model, and development step is divided into analysis, design, implementation, and testing, so vulnerability should be removed by performing a security review at each step from the same point of view, applications operating on samsung device should maintain the same security level for this, we recommend that you consider security in the application development phase by referring to the following step-by-step security review security in the analysis/design phase you should identify important information that is stored and transferred and ensure that the information is handled safely if you receive user input, you should review that you do not require more information than you need, and there is no issue with the input format you must identify the important information to be used and ensure that the information is displayed on vulnerable areas in the flow of the program in particular, when transmitting important information outside the device, you need to ensure that it communicates with the specified server through a secured channel at the time of designing, you must first define important information that needs to be protected and design it in a proper manner to protect it security in the implementation phase it must be implemented in compliance with security rules to prevent information in the software from being leaked through known vulnerabilities important information obtained in the design phase should be stored by applying security techniques such as encryption and make sure that it does not exist in plain text within the program establish secure coding rules for each language and proceed with development accordingly you must use only the minimum permissions required and notify the user of the permissions you use you should make sure that the security channel is properly set on the network, and the latest version of the technology is applied if you use encryption algorithms, you must use them securely using verified standard algorithms where vulnerabilities are not reported security in test phase security checks must be performed before deployment to prevent security issues and maintain security through maintenance after deployment before deployment, it is necessary to verify that there is no issue with analysis, design, and implementation when actually operated through simulated hacking, packet checking, etc after deployment, if a new vulnerability is found or a modification occurs in the security check, it must be patched and applied to all users as soon as possible security review process in order to maintain the security of the application ecosystem, samsung is performing security checks on the submitted applications samsung checks the risk or misuse cases that may occur due to the submitted applications, and if there is an issue, the deployment process can be stopped and the application submitter can be advised to fix it application security guide this section provides basic security guidelines to consider in the development of applications for a safe and reliable application running environment, we recommend that you proceed with the following points in the development phase data protection three key factors for data protection are confidentiality, integrity, and availability if an application sends or stores sensitive information, the application must encrypt data stored on these devices and protect it from attackers it is very important to protect sensitive data such as user credentials or personal information in application security if the mechanism of the operating system is not used correctly, sensitive data can be unintentionally exposed definition of sensitive data personally identifiable information that can be exploited for identity theft for example, resident registration number, social security number, credit card number, bank account number, health information, etc sensitive data that can lead to loss of honor and loss of money if leaked all data that must be protected for legal or compliance reasons security item description data protection sensitive data, such as passwords or pin data, should not be exposed through the user interface the key values used by the application must be hardcoded or not stored in plain text sensitive data should not be stored in an application container or external storage sensitive data should not be recorded in the application log sensitive data should not be shared with third parties unless it is necessary in the architecture sensitive data should not be shared with third parties unless it is necessary in the architecture keyboard cache must be disabled from the text input that processes sensitive data sensitive data should not be exposed even during internal communication you should ensure that the data stored in the client-side storage ex html5 local storage, session store, indexeddb, regular cookie, or flash cookie does not contain sensitive data make sure that you have provided clear t&c for the collection and use of the provided personal information and that you have provided selective consent to the use of that data before you use it reference links european union general data protection regulation gdpr overvieweuropean union data protection supervisor - internet privacy engineering networkapplication development privacy guide table 1 data protection security description and reference links authentication if there is a feature to log-in to the remote service by the user, it must be configured through security design even when most of the logic is operating on a remote service, the device must also meet security requirements on how to manage user accounts and sessions security item description authentication if the application provides remote services to the user, user name and password authentication must be performed from the remote service if you use status storage session management, the remote service must authenticate the client request using the randomly generated session identifier without sending the user's credentials if using stateless token-based authentication, the remote services must provide signed tokens using security algorithms when a user logs out, the remote service must end the existing session table 2 authentication security description access control an application can access a resource only if it has access to it security item description access control application must require only the minimum access required application must use the privilege that match the permissions and specify the privileges used when accessing user data, make sure that the principle of minimum access privilege requirement is followed applications must have access to apis, data files, urls, controllers, directories, services, and other resources with minimal access required you should verify and process all input from external resources and users this should include data received through the ui, a user-defined url, inter-process communication ipc , etc if an application uses a completely unprotected custom url, you should not export sensitive information important data or apis must be protected from user access other than data owners reference links owasp cheat sheet access control table 3 access control security description and reference links communications when the network is used, the application should not display the transmitted/received content using a secured channel security item description communications data must be encrypted on the network using tls transport layer security security channels must be used consistently throughout the application the setting of the security channel must be configured to protect information safely the data being transmitted must be protected from being snatched/taken over in the middle ex defence against man in the middle attack reference links owasp – tls cheat sheet table 4 communications security description and reference links input validation you must defend the command insertion attack through validating the validity of input value input value validation should be considered at all stages of development security item description input validation input values must process the data based on type and content, applicable laws, regulations and other policy compliance, and define how to handle it you must ensure that input validation is performed on a trusted service layer you need to check whether it protects against parameter attacks such as mass parameter allocation attacks or unsafe parameter allocation all possible input values e g html form fields, rest requests, url parameters, http headers, cookies, batch files, rss feeds, etc must be checked using validation ex whitelist you should check whether the values entered are in the correct form in well-defined schemas, including allowed characters, lengths, and patterns the url redirection and forward should display a warning that only whitelist targets are allowed or that you are connecting with potentially untrusted content make sure you use memory safety strings, secure memory copy, and pointer calculation to detect or prevent stacks, buffers, or heap overflows in order to prevent integer overflow, you need to make sure that sign, range, and input validation techniques are used reference links xml external entity xxe prevention cheat sheetreducing xss by way of automatic context-aware escaping in template systems table 5 input validation security description and reference links password management in case of application with different user password, security settings are required for them security item description password management you must ensure that the password does not contain spaces and cut/copy is not performed in the password change feature, you should check that the user's current password and new password are required it is recommended to provide a password strength meter so that users can set a stronger password it is also recommended to provide rules that limit allowed character types uppercase letter, numeric, special characters you should check that it is recommended to change your user password within the right due date do not store the user password in the application's properties or settings file in plain text or recoverable form passwords must be stored, transferred, and compared in a hashed state using a standard hash function to prevent random attacks, you should use the login limit number of login or captcha default password should not be generated make sure you do not show the key information, like passwords in the log reference links cwe-804 guessable captchacwe-836 use of password hash instead of password for authenticationcwe-257 storing passwords in a recoverable formatcwe-261 weak encoding for passwordcwe-263 password aging with long expiration table 6 password management security description and reference links session manager a session is a technique for controlling and maintaining the status of a user or device interacting with one user in a web application a session has a unique value for each user and cannot guess or share that value security item description session manager you should check that the session token is not exposed/displayed in the application's url parameter or error message make sure the application generates a new session token from user authentication you should check that the session token is stored using properly secured cookies or security methods you should check that a session token is generated using a standard encryption algorithm make sure the session is not reused by verifying that the session token is invalid when logout and session expires reference links owasp session management cheat sheetalgorithms, key size and parameters report 2014 table 7 session manager security description and reference links error handling the purpose of error handling is to allow applications to provide security events related to monitoring, status check, and increase in permission, and not just creating logs security item description error handling you must ensure that common error handling formats and access method are used you must make sure exception handling is used on the code base to explain expected and unexpected error conditions you must ensure that other error handlers that can prepare all unprocessed exceptions are defined in case of an error, you must make sure that the message shown to the user does not contain application-related technical or sensitive information we recommend using separate error codes for error support table 8 error handling security description release check the following before releasing the application security item description release application must be signed and distributed with a valid certificate, and the private key must be properly protected debugging code and developer support code test code, back door, hidden settings, etc must be removed deployed applications should not output or record detailed errors or debugging messages libraries and frameworks etc used by applications should be checked for known vulnerabilities the equipment used for release must be able to respond to external threats viruses, hacking, etc it should be built in release mode a separate debug message should not be left from the application if you include binary, debug information should be removed if a vulnerability occurs after release, you should update the application as soon as possible and always keep the latest version table 9 release security description
Develop Smart Hospitality Display
docapplication security this topic describe the security of applications which run on samsung devices related info web security testing guide owasp secure software development lifecycle microsoft security development lifecycle sdl cwe list version 4 6 overview security is becoming an important issue with the increase of various smart devices in order to protect data from users and businesses, samsung devices are enhancing security in several layers, from hardware to software as samsung device applications are also software driven by samsung, the security needs to be taken into account samsung device applications can store important information such as code and key values and personal information of the user, which is an important resource that must be protected these resources can be leaked due to a variety of reasons, such as a simple mistake by a developer or hacking by an attacker in order to safeguard this, samsung device applications need to be developed according to secure by design in particular, the personal information of the user should comply with the policy related to the personal information for each country secure by design all software within the devices developed by samsung are based on the secure development lifecycle sdl model, and development step is divided into analysis, design, implementation, and testing, so vulnerability should be removed by performing a security review at each step from the same point of view, applications operating on samsung device should maintain the same security level for this, we recommend that you consider security in the application development phase by referring to the following step-by-step security review security in the analysis/design phase you should identify important information that is stored and transferred and ensure that the information is handled safely if you receive user input, you should review that you do not require more information than you need, and there is no issue with the input format you must identify the important information to be used and ensure that the information is displayed on vulnerable areas in the flow of the program in particular, when transmitting important information outside the device, you need to ensure that it communicates with the specified server through a secured channel at the time of designing, you must first define important information that needs to be protected and design it in a proper manner to protect it security in the implementation phase it must be implemented in compliance with security rules to prevent information in the software from being leaked through known vulnerabilities important information obtained in the design phase should be stored by applying security techniques such as encryption and make sure that it does not exist in plain text within the program establish secure coding rules for each language and proceed with development accordingly you must use only the minimum permissions required and notify the user of the permissions you use you should make sure that the security channel is properly set on the network, and the latest version of the technology is applied if you use encryption algorithms, you must use them securely using verified standard algorithms where vulnerabilities are not reported security in test phase security checks must be performed before deployment to prevent security issues and maintain security through maintenance after deployment before deployment, it is necessary to verify that there is no issue with analysis, design, and implementation when actually operated through simulated hacking, packet checking, etc after deployment, if a new vulnerability is found or a modification occurs in the security check, it must be patched and applied to all users as soon as possible security review process in order to maintain the security of the application ecosystem, samsung is performing security checks on the submitted applications samsung checks the risk or misuse cases that may occur due to the submitted applications, and if there is an issue, the deployment process can be stopped and the application submitter can be advised to fix it application security guide this section provides basic security guidelines to consider in the development of applications for a safe and reliable application running environment, we recommend that you proceed with the following points in the development phase data protection three key factors for data protection are confidentiality, integrity, and availability if an application sends or stores sensitive information, the application must encrypt data stored on these devices and protect it from attackers it is very important to protect sensitive data such as user credentials or personal information in application security if the mechanism of the operating system is not used correctly, sensitive data can be unintentionally exposed definition of sensitive data personally identifiable information that can be exploited for identity theft for example, resident registration number, social security number, credit card number, bank account number, health information, etc sensitive data that can lead to loss of honor and loss of money if leaked all data that must be protected for legal or compliance reasons security item description data protection sensitive data, such as passwords or pin data, should not be exposed through the user interface the key values used by the application must be hardcoded or not stored in plain text sensitive data should not be stored in an application container or external storage sensitive data should not be recorded in the application log sensitive data should not be shared with third parties unless it is necessary in the architecture sensitive data should not be shared with third parties unless it is necessary in the architecture keyboard cache must be disabled from the text input that processes sensitive data sensitive data should not be exposed even during internal communication you should ensure that the data stored in the client-side storage ex html5 local storage, session store, indexeddb, regular cookie, or flash cookie does not contain sensitive data make sure that you have provided clear t&c for the collection and use of the provided personal information and that you have provided selective consent to the use of that data before you use it reference links european union general data protection regulation gdpr overvieweuropean union data protection supervisor - internet privacy engineering networkapplication development privacy guide table 1 data protection security description and reference links authentication if there is a feature to log-in to the remote service by the user, it must be configured through security design even when most of the logic is operating on a remote service, the device must also meet security requirements on how to manage user accounts and sessions security item description authentication if the application provides remote services to the user, user name and password authentication must be performed from the remote service if you use status storage session management, the remote service must authenticate the client request using the randomly generated session identifier without sending the user's credentials if using stateless token-based authentication, the remote services must provide signed tokens using security algorithms when a user logs out, the remote service must end the existing session table 2 authentication security description access control an application can access a resource only if it has access to it security item description access control application must require only the minimum access required application must use the privilege that match the permissions and specify the privileges used when accessing user data, make sure that the principle of minimum access privilege requirement is followed applications must have access to apis, data files, urls, controllers, directories, services, and other resources with minimal access required you should verify and process all input from external resources and users this should include data received through the ui, a user-defined url, inter-process communication ipc , etc if an application uses a completely unprotected custom url, you should not export sensitive information important data or apis must be protected from user access other than data owners reference links owasp cheat sheet access control table 3 access control security description and reference links communications when the network is used, the application should not display the transmitted/received content using a secured channel security item description communications data must be encrypted on the network using tls transport layer security security channels must be used consistently throughout the application the setting of the security channel must be configured to protect information safely the data being transmitted must be protected from being snatched/taken over in the middle ex defence against man in the middle attack reference links owasp – tls cheat sheet table 4 communications security description and reference links input validation you must defend the command insertion attack through validating the validity of input value input value validation should be considered at all stages of development security item description input validation input values must process the data based on type and content, applicable laws, regulations and other policy compliance, and define how to handle it you must ensure that input validation is performed on a trusted service layer you need to check whether it protects against parameter attacks such as mass parameter allocation attacks or unsafe parameter allocation all possible input values e g html form fields, rest requests, url parameters, http headers, cookies, batch files, rss feeds, etc must be checked using validation ex whitelist you should check whether the values entered are in the correct form in well-defined schemas, including allowed characters, lengths, and patterns the url redirection and forward should display a warning that only whitelist targets are allowed or that you are connecting with potentially untrusted content make sure you use memory safety strings, secure memory copy, and pointer calculation to detect or prevent stacks, buffers, or heap overflows in order to prevent integer overflow, you need to make sure that sign, range, and input validation techniques are used reference links xml external entity xxe prevention cheat sheetreducing xss by way of automatic context-aware escaping in template systems table 5 input validation security description and reference links password management in case of application with different user password, security settings are required for them security item description password management you must ensure that the password does not contain spaces and cut/copy is not performed in the password change feature, you should check that the user's current password and new password are required it is recommended to provide a password strength meter so that users can set a stronger password it is also recommended to provide rules that limit allowed character types uppercase letter, numeric, special characters you should check that it is recommended to change your user password within the right due date do not store the user password in the application's properties or settings file in plain text or recoverable form passwords must be stored, transferred, and compared in a hashed state using a standard hash function to prevent random attacks, you should use the login limit number of login or captcha default password should not be generated make sure you do not show the key information, like passwords in the log reference links cwe-804 guessable captchacwe-836 use of password hash instead of password for authenticationcwe-257 storing passwords in a recoverable formatcwe-261 weak encoding for passwordcwe-263 password aging with long expiration table 6 password management security description and reference links session manager a session is a technique for controlling and maintaining the status of a user or device interacting with one user in a web application a session has a unique value for each user and cannot guess or share that value security item description session manager you should check that the session token is not exposed/displayed in the application's url parameter or error message make sure the application generates a new session token from user authentication you should check that the session token is stored using properly secured cookies or security methods you should check that a session token is generated using a standard encryption algorithm make sure the session is not reused by verifying that the session token is invalid when logout and session expires reference links owasp session management cheat sheetalgorithms, key size and parameters report 2014 table 7 session manager security description and reference links error handling the purpose of error handling is to allow applications to provide security events related to monitoring, status check, and increase in permission, and not just creating logs security item description error handling you must ensure that common error handling formats and access method are used you must make sure exception handling is used on the code base to explain expected and unexpected error conditions you must ensure that other error handlers that can prepare all unprocessed exceptions are defined in case of an error, you must make sure that the message shown to the user does not contain application-related technical or sensitive information we recommend using separate error codes for error support table 8 error handling security description release check the following before releasing the application security item description release application must be signed and distributed with a valid certificate, and the private key must be properly protected debugging code and developer support code test code, back door, hidden settings, etc must be removed deployed applications should not output or record detailed errors or debugging messages libraries and frameworks etc used by applications should be checked for known vulnerabilities the equipment used for release must be able to respond to external threats viruses, hacking, etc it should be built in release mode a separate debug message should not be left from the application if you include binary, debug information should be removed if a vulnerability occurs after release, you should update the application as soon as possible and always keep the latest version table 9 release security description
Develop Smart TV
docapplication security this topic describe the security of applications which run on samsung devices related info web security testing guide owasp secure software development lifecycle microsoft security development lifecycle sdl cwe list version 4 6 overview security is becoming an important issue with the increase of various smart devices in order to protect data from users and businesses, samsung devices are enhancing security in several layers, from hardware to software as samsung device applications are also software driven by samsung, the security needs to be taken into account samsung device applications can store important information such as code and key values and personal information of the user, which is an important resource that must be protected these resources can be leaked due to a variety of reasons, such as a simple mistake by a developer or hacking by an attacker in order to safeguard this, samsung device applications need to be developed according to secure by design in particular, the personal information of the user should comply with the policy related to the personal information for each country secure by design all software within the devices developed by samsung are based on the secure development lifecycle sdl model, and development step is divided into analysis, design, implementation, and testing, so vulnerability should be removed by performing a security review at each step from the same point of view, applications operating on samsung device should maintain the same security level for this, we recommend that you consider security in the application development phase by referring to the following step-by-step security review security in the analysis/design phase you should identify important information that is stored and transferred and ensure that the information is handled safely if you receive user input, you should review that you do not require more information than you need, and there is no issue with the input format you must identify the important information to be used and ensure that the information is displayed on vulnerable areas in the flow of the program in particular, when transmitting important information outside the device, you need to ensure that it communicates with the specified server through a secured channel at the time of designing, you must first define important information that needs to be protected and design it in a proper manner to protect it security in the implementation phase it must be implemented in compliance with security rules to prevent information in the software from being leaked through known vulnerabilities important information obtained in the design phase should be stored by applying security techniques such as encryption and make sure that it does not exist in plain text within the program establish secure coding rules for each language and proceed with development accordingly you must use only the minimum permissions required and notify the user of the permissions you use you should make sure that the security channel is properly set on the network, and the latest version of the technology is applied if you use encryption algorithms, you must use them securely using verified standard algorithms where vulnerabilities are not reported security in test phase security checks must be performed before deployment to prevent security issues and maintain security through maintenance after deployment before deployment, it is necessary to verify that there is no issue with analysis, design, and implementation when actually operated through simulated hacking, packet checking, etc after deployment, if a new vulnerability is found or a modification occurs in the security check, it must be patched and applied to all users as soon as possible security review process in order to maintain the security of the application ecosystem, samsung is performing security checks on the submitted applications samsung checks the risk or misuse cases that may occur due to the submitted applications, and if there is an issue, the deployment process can be stopped and the application submitter can be advised to fix it application security guide this section provides basic security guidelines to consider in the development of applications for a safe and reliable application running environment, we recommend that you proceed with the following points in the development phase data protection three key factors for data protection are confidentiality, integrity, and availability if an application sends or stores sensitive information, the application must encrypt data stored on these devices and protect it from attackers it is very important to protect sensitive data such as user credentials or personal information in application security if the mechanism of the operating system is not used correctly, sensitive data can be unintentionally exposed definition of sensitive data personally identifiable information that can be exploited for identity theft for example, resident registration number, social security number, credit card number, bank account number, health information, etc sensitive data that can lead to loss of honor and loss of money if leaked all data that must be protected for legal or compliance reasons security item description data protection sensitive data, such as passwords or pin data, should not be exposed through the user interface the key values used by the application must be hardcoded or not stored in plain text sensitive data should not be stored in an application container or external storage sensitive data should not be recorded in the application log sensitive data should not be shared with third parties unless it is necessary in the architecture sensitive data should not be shared with third parties unless it is necessary in the architecture keyboard cache must be disabled from the text input that processes sensitive data sensitive data should not be exposed even during internal communication you should ensure that the data stored in the client-side storage ex html5 local storage, session store, indexeddb, regular cookie, or flash cookie does not contain sensitive data make sure that you have provided clear t&c for the collection and use of the provided personal information and that you have provided selective consent to the use of that data before you use it reference links european union general data protection regulation gdpr overvieweuropean union data protection supervisor - internet privacy engineering networkapplication development privacy guide table 1 data protection security description and reference links authentication if there is a feature to log-in to the remote service by the user, it must be configured through security design even when most of the logic is operating on a remote service, the device must also meet security requirements on how to manage user accounts and sessions security item description authentication if the application provides remote services to the user, user name and password authentication must be performed from the remote service if you use status storage session management, the remote service must authenticate the client request using the randomly generated session identifier without sending the user's credentials if using stateless token-based authentication, the remote services must provide signed tokens using security algorithms when a user logs out, the remote service must end the existing session table 2 authentication security description access control an application can access a resource only if it has access to it security item description access control application must require only the minimum access required application must use the privilege that match the permissions and specify the privileges used when accessing user data, make sure that the principle of minimum access privilege requirement is followed applications must have access to apis, data files, urls, controllers, directories, services, and other resources with minimal access required you should verify and process all input from external resources and users this should include data received through the ui, a user-defined url, inter-process communication ipc , etc if an application uses a completely unprotected custom url, you should not export sensitive information important data or apis must be protected from user access other than data owners reference links owasp cheat sheet access control table 3 access control security description and reference links communications when the network is used, the application should not display the transmitted/received content using a secured channel security item description communications data must be encrypted on the network using tls transport layer security security channels must be used consistently throughout the application the setting of the security channel must be configured to protect information safely the data being transmitted must be protected from being snatched/taken over in the middle ex defence against man in the middle attack reference links owasp – tls cheat sheet table 4 communications security description and reference links input validation you must defend the command insertion attack through validating the validity of input value input value validation should be considered at all stages of development security item description input validation input values must process the data based on type and content, applicable laws, regulations and other policy compliance, and define how to handle it you must ensure that input validation is performed on a trusted service layer you need to check whether it protects against parameter attacks such as mass parameter allocation attacks or unsafe parameter allocation all possible input values e g html form fields, rest requests, url parameters, http headers, cookies, batch files, rss feeds, etc must be checked using validation ex whitelist you should check whether the values entered are in the correct form in well-defined schemas, including allowed characters, lengths, and patterns the url redirection and forward should display a warning that only whitelist targets are allowed or that you are connecting with potentially untrusted content make sure you use memory safety strings, secure memory copy, and pointer calculation to detect or prevent stacks, buffers, or heap overflows in order to prevent integer overflow, you need to make sure that sign, range, and input validation techniques are used reference links xml external entity xxe prevention cheat sheetreducing xss by way of automatic context-aware escaping in template systems table 5 input validation security description and reference links password management in case of application with different user password, security settings are required for them security item description password management you must ensure that the password does not contain spaces and cut/copy is not performed in the password change feature, you should check that the user's current password and new password are required it is recommended to provide a password strength meter so that users can set a stronger password it is also recommended to provide rules that limit allowed character types uppercase letter, numeric, special characters you should check that it is recommended to change your user password within the right due date do not store the user password in the application's properties or settings file in plain text or recoverable form passwords must be stored, transferred, and compared in a hashed state using a standard hash function to prevent random attacks, you should use the login limit number of login or captcha default password should not be generated make sure you do not show the key information, like passwords in the log reference links cwe-804 guessable captchacwe-836 use of password hash instead of password for authenticationcwe-257 storing passwords in a recoverable formatcwe-261 weak encoding for passwordcwe-263 password aging with long expiration table 6 password management security description and reference links session manager a session is a technique for controlling and maintaining the status of a user or device interacting with one user in a web application a session has a unique value for each user and cannot guess or share that value security item description session manager you should check that the session token is not exposed/displayed in the application's url parameter or error message make sure the application generates a new session token from user authentication you should check that the session token is stored using properly secured cookies or security methods you should check that a session token is generated using a standard encryption algorithm make sure the session is not reused by verifying that the session token is invalid when logout and session expires reference links owasp session management cheat sheetalgorithms, key size and parameters report 2014 table 7 session manager security description and reference links error handling the purpose of error handling is to allow applications to provide security events related to monitoring, status check, and increase in permission, and not just creating logs security item description error handling you must ensure that common error handling formats and access method are used you must make sure exception handling is used on the code base to explain expected and unexpected error conditions you must ensure that other error handlers that can prepare all unprocessed exceptions are defined in case of an error, you must make sure that the message shown to the user does not contain application-related technical or sensitive information we recommend using separate error codes for error support table 8 error handling security description release check the following before releasing the application security item description release application must be signed and distributed with a valid certificate, and the private key must be properly protected debugging code and developer support code test code, back door, hidden settings, etc must be removed deployed applications should not output or record detailed errors or debugging messages libraries and frameworks etc used by applications should be checked for known vulnerabilities the equipment used for release must be able to respond to external threats viruses, hacking, etc it should be built in release mode a separate debug message should not be left from the application if you include binary, debug information should be removed if a vulnerability occurs after release, you should update the application as soon as possible and always keep the latest version table 9 release security description
We use cookies to improve your experience on our website and to show you relevant advertising. Manage you settings for our cookies below.
These cookies are essential as they enable you to move around the website. This category cannot be disabled.
These cookies collect information about how you use our website. for example which pages you visit most often. All information these cookies collect is used to improve how the website works.
These cookies allow our website to remember choices you make (such as your user name, language or the region your are in) and tailor the website to provide enhanced features and content for you.
These cookies gather information about your browser habits. They remember that you've visited our website and share this information with other organizations such as advertisers.
You have successfully updated your cookie preferences.