Chapter 6 DXp SeCurity DXP Information Management Security Checklist • Define the security categories for the DXP application. For instance, we could define three categories such as public, private, and confidential. Define security policies for each of the security categories: all data marked as public is visible to guest users and public users; all data marked as private is accessible only to logged- in users; and all data categorized as “confidential” should be visible for users with admin role. Also, all data categorized as “private” or “confidential” should be encrypted during rest and during transit. • Ensure that no sensitive data (such as SSN number, user passwords, credit cards, etc.) is stored application logs in plain text. • Ensure that no sensitive data is cached or stored in browser cookies. Disable browser autocomplete for sensitive form fields. • Ensure that no sensitive data is shared with external or third-party party services without consent from respective owners. • Don’t use sensitive data in hidden form fields, meta tags, or custom HTTP headers that are accessible to the end user. DXP Authentication and Session Management Checklist • Ensure that there is a centralized authentication management system that uses enterprise-wide LDAP or Active Directory. • Ensure that the centralized authentication system enforces robust password policies. Password policies include restriction on password strength, password change frequency, notification on password change events, account lockout policy, and such. • Define multi factor authentication (MFA) for sensitive functions such as admin functionality, password update functionality, and such. • Define strict session management policies including idle session timeout, avoiding multiple simultaneous sessions, creating random session IDs, and such. • The DXP application processes must run with minimum privilege. 197