AppSec Knowledge Base

SESSION MANAGEMENT

The risk of broken session management.

Broken authentication and session management is consistently one of the OWASP Top 10 Web Application Security Risks, and a vulnerability that developers must continually guard against.

Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Websites and browsers use HTTP to communicate, and a session is a series of HTTP requests and transactions initiated by the same user.  Typically, a session is started when a user authenticates their identity using a password or another authentication protocol. Session managementinvolves the sharing of secrets with authenticated users, and as such, secure cryptographic network communications are essential to maintaining session management security.

Fixing session management vulnerabilities.

When user authentication and session management is not correctly configured, attackers may be able to compromise passwords, session tokens or keys to gain access to users accounts and assume their identities.

Many of today’s development frameworks offer tools for secure implementation of session management, but there are potential weaknesses in any of these solutions. That’s why it’s important for developers to ensure they’re using the latest version of any framework, to securely configure session management options and to adopt application security testing protocols to identify and remediate any issues. That’s where Veracode can help.

Securing session management with Veracode.

Veracode provides leading application security testing solutions that help to protect the software driving business today. Built on a unified, cloud-based platform, our testing services enable development teams and IT administrators to go beyond the network security firewall to significantlyimprove application security without slowing development timelines. With Veracode, organizations no longer need to choose between speed and security when developing software.

Our suite of testing technologies is available as SaaS-based services, delivered on demand throughout the software development lifecycle. Developers can get immediate feedback about potential flaws as they write code, submit code for static analysis throughout development, test applications in production for potential flaws, and evaluate the risks and vulnerabilities in open source, commercial and third-party applications. From SQL injections and cross site scripting to flaws that may allow DDoS attacks and broken session management, Veracode testing services help to quickly find and fix flaws that compromise application and organization security.

Learn more about remediating session management flaws with Veracode, or visit our AppSec knowledgebase to learn more about the Information Technology Infrastructure Library or get answers to questions like “What is spoof?

 

 

contact menu