- Use a TLS library that validates server identity. An improved implementation would ensure the identity of the SmartVault host. Perform this by retrieving the X509 certificate associated with smartvault.com and use it to validate the endpoint.
- Access tokens should be carefully managed. During the OAuth autonomous flow, you will be granted an access token capable of impersonating the target User Id. This token will expire; however, be aware of malicious browser plug-ins that could be installed by an end user to sniff out this token by accessing the DOM. These tokens should be restricted in what they are allowed to perform and carefully protected.
- Revoke access when no longer needed. You can control whether or not your client id is valid by logging into the SmartVault developer portal and changing settings. Further, you can control what activities this client id is allowed to perform. Restrict access to the bare necessity.
- Properly manage the RSA private key used to perform the autonomous OAuth flow. Different keys should be generated for testing vs. production. Production keys should be properly managed and access should be restricted to the minimum staff members possible. With access to this key, others could impersonate your application and perform malicious activities.
- Rotate your RSA private key at least once a year. Good key hygiene suggests these keys should be rotated at least once a year or anytime the key is suspected or confirmed of being shared improperly.
- Consider using a third party vendor to perform routine security audits and assessments on your environment.
Leave A Comment?