Notes on Web App Security

16:38 28 July 2025

From https://www.cert-in.org.in/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=CISG-2024-01 :

Guidelines for Secure Application Design, Development, Implementation & Operations

DATE: (January 25, 2024)

File Type: pdf

----

The downloaded pdf (on 28 July 2025) extract:

5.2 Conduct Security Vulnerability Assessment: Organisation should engage CERT-In

empanelled auditing organisation to conduct the security audit of the developed

application and its related components. The objective of the audit should be discovery

of all known vulnerabilities based on the comprehensive standards/framework such as

ISO/IEC, Cyber Security Audit Baseline Requirements, Open-Source Security Testing

Methodology Manual (OSSTMM3), OWASP Web Security Testing Guide along with

applicable regulatory framework and directions & guidelines issued by agencies.

---- end extract ------

The extract refers to: OWASP Web Security Testing Guide

Multifactor Authentication Cheat Sheet, https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html  extract:

Quick Recommendations

Exactly when and how MFA is implemented in an application will vary on a number of different factors, including the threat model of the application, the technical level of the users, and the level of administrative control over the users. These need to be considered on a per-application basis.

However, the following recommendations are generally appropriate for most applications, and provide an initial starting point to consider.

Require some form of MFA for all users.

Provide the option for users to enable MFA on their accounts using TOTP.

Require MFA for administrative or other high privileged users.

Implement a secure procedure to allow users to reset their MFA.

Consider MFA as a service.

---- end extract ------

The extract clearly says, "Require MFA for administrative or other high privileged users."

======================