Application Security - Kosudo/nextSIS GitHub Wiki

A student information system (SIS) stores a variety of student data including sensitive personal information and grade histories. As such, it represents a high-value hacking target to students in addition to a general target among the wider hacker community. This means that the application security of any SIS should meet best industry practices, and security must not be bolted-on as an afterthought but an inherent part of the design of the system.

To this end, the proposed design of nextSIS will incorporate as a minimum:

• [Salted-hashed passwords] (http://crackstation.net/hashing-security.htm)
• [Limited password entry attempts] (limited-password-entry-attempts)
• Password expiry options
• [Fully-customisable user-permissions and profiles] (wiki/Fully-customisable-user-permissions-and-profiles)
• [Audit trail] (wiki/Audit-Trail)
• Access logs
• Suspicious activity alerts
• Account lockouts
• [Scheduled-account-suspension] (scheduled-account-suspension)
• [IP address filtering] (ip-address-filtering)
• Automated database backup
• Error Handling and Recording

The following areas will be investigated for possible use:

• [Key stretching] (https://en.wikipedia.org/wiki/Key_stretching)
• [Database replication] (https://dev.mysql.com/doc/refman/5.0/en/replication.html)