Security Issues

Our app contains different data that needs protecting. Firstly, it will contain user authentication details (user email addresses, passwords, etc.). Next, the app will also contain information about the network devices each user manually adds (primarily their IP addresses).

All user passwords will only be stored on the system after being salted and hashed. No user passwords will be stored directly either encrypted or as plaintext. When users create their account(s), the password will be salted, hashed, and then stored in the database. All other data needed to be stored by the app will be stored in an encrypted state. The data is able to be decrypted upon successful logon of a user.

Some potential attack vectors could include injection attacks, brute force attacks, HTTP protocol attacks, and various URL attacks. Injection attacks will be mitigated by proper handling of all user-inputted data by escaping all of the characters. Brute force password attacks will be mitigated by a robust password policy which enforces strong password creation for each account. HTTP protocol attacks will be mitigated by the use of encryption and HTTPS. URL attacks will be mitigated by proper handling of URLs. This is done by verifying authorization to each URL and only allowing certain URL paths to each user.

Finally, there is the potential for privileged escalation attacks (i.e. a user being able to upgrade his/her account from standard user to an admin user). This will be mitigated by reducing complexity within user account controls.