-
Notifications
You must be signed in to change notification settings - Fork 1
Security Issues
vuvnguyen95 edited this page Nov 6, 2023
·
17 revisions
It is important to us that we are able to keep and protect sensitive information about the user. Information such as personal information, health and fitness information, and user's schedule.
- Storing information such as passwords securely. Utilize end-to-end encryption and secure storage solutions. Regularly update cryptographic practices to keep up with current standards.
- We will regularly try to authenticate the user. Especially when trying to access private information. (multi-factor authentication)
- Frequently monitoring the app to do anything if needed. Review and update access control lists periodically, and monitor for unusual access patterns through updates and patches.
- Delete any old or not-in-use data to free up memory and space. Not only it will help the app run better, but it will also have fewer vulnerabilities.
- Implement a lockout feature, in case of multiple login failures. (lockout feature, will prevent brute force login attacks)
- Incorporate static and dynamic code analysis tools in the CI/CD pipeline to automatically detect and address security issues.
- Implement automated backups and test data recovery processes regularly.
- Create educational resources and regular training programs for users.
- Regularly review compliance requirements and adjust data handling and privacy policies accordingly.
1. Server Vulnerabilities: Attackers may exploit server vulnerabilities to gain root access, potentially compromising the entire system.
- Protection plan: Regular monitor to update or patch any software. Implement a firewall. (Web Application Firewall)
2. API Vulnerabilities: Using a secure API will prevent data from data breaches and unauthorized access.
- Protection plan: Monitor API traffic, and use API keys or tokens to verify the identity and permissions of clients.
3. Account Enumeration and Guessable User Account:
- Protection Plan: Prevent account enumeration by providing the same message for both incorrect username and password entries. Use CAPTCHA to thwart automated account guessing.
4. Outdated or Vulnerable Third-Party Libraries:
- Protection Plan: Keep third-party libraries and dependencies up-to-date. Regularly scan the codebase for known vulnerabilities using automated tools.