Security requirements

[mimski]

• Secure data communication between all “layers” (for HTTPs –TLS 1.2)

• Client <-> backend

• Backend <-> database

• Backend <-> Mail server

• Transparent data encryption (protecting data at rest) or column level data encryption (preferred) for confidential customer data.

• The system must be resistant to attacks like cross-site scripting, SQL injection, buffer overflow, session hijacking etc. Protection from attacks including (but not limited):

• Input validation performed on server and client side (adhere to validation rules like length arrays, content of text arrays, mandatory arrays etc.);

• HTTP session management prevents session hijacking (e.g. change of session ID after logon, regular session changes, additional security mechanisms as tickets, etc.);

• Consistent use of "escape sequences" for non-standard character outputs;

• Consistent use of “Prepared Statement” for database queries and restriction of SQL commands from input data;

• Error messages displayed to user, customer or third parties do not provide sensitive information on data or system (e.g. for "wrong password", do not display stack traces, only HTTP 200 and 300 as response);