Low Level Application Requirements

  1. The application must verify all user input to be sure there is no possibility of malformed input which may be hostile such as SQL or email injection.
  2. The application must refer to privacy and/or security policies on pages where it applies.
  3. The application must be tested to ensure that the application has no security flaws, especially for public facing applications.
  4. It should not be possible to page through the login screen allowing access on the same computer after the original user has logged off the application.
  5. No sensitive information should be stored in cookies by the application.
  6. User passwords cannot be stored on the client computer in plaintext form at any time.
  7. User passwords cannot be transmitted in the clear.
  8. Access to sensitive data cannot be allowed without authentication.