Session identifiers should only be located in the HTTP cookie header.For example, do not pass session identifiers as GET parameters Generate a new session identifier if the connection security changes from HTTP to HTTPS, as can occur during authentication.Note: Task name must be used to catch synchronous events.Sometimes you can't avoid Asynchronous triggers, for example, with copies of tasks - because the task name needs to be used to catch a Synchronous event.set.string.variable=Set String Variable set.group=Set Group set.access.role=Set Access Role set.admin.role=Set Admin Role set.provisioning.role=Set Provisioning Role activate.command.line=Activate Command Line execute.query=Execute Query values=Set User Values change.process.flow=Change Process Flow log.message=Log Message display.screen.message=Display Screen Message throw.exception=Throw an Exception send.mail=Send Mail set.accounts.data=Set Account Data by Identifier set.account.data=Set Account Data java=Run Java Code Etc... Document existing Policy Express policies with the following details to decide on Policy reuse and setting priority to control overall policy execution flow: There are different Event types that can be configured in a policy to trigger an operation.
policyxpress.properties - Describes how Policy Xpress policies are stored, and the type of listeners available policyxpress_errors.properties - Includes system and screen (UI) error messages, and environment error messages policyxpress_plugins.properties - Describes details of elements and element types, actions and action types policyxpress.listenertype.event=Event policyxpress.listenertype.task=UI policyxpress.listenertype.attribute=Attribute policyxpress.listenertype.workflow=Workflow policyxpress.listenertype.submitted Task=Submitted Task policyxpress.listenertype.reverse=Reverse Sync policyxpress.listenerstep.before=Before policyxpress.listenerstep.approved=Approved policyxpress.listenerstep.rejected=Rejected policyxpress.listenerstep.after=After policyxpress.listenerstep.failed=Failed policyxpress.listenerstep.start=Start policyxpress.listenerstep.subject=Set subject policyxpress.listenerstep.validate_onchange=Validate On Change policyxpress.listenerstep.validation=Validate On Submit policyxpress.listenerstep.submission=Submission policyxpress.listenerstep.validate=Validate policyxpress.listenerstep.workflow Asynch=Pending policyxpress.Started=Task started policyxpress.Completed=Task completed policyxpress.listenerstep.reverse.detection=Reverse Sync Detection policyxpress.Failed=Task Failed policyxpress.listenerstep.approvers Resolved=Approvers resolved px.error.plugin.build.event=Error building action event px.error.should.never.happen=Should never happen px.missing=Failed finding role px.error.group.missing=Failed finding group px.members=Failed getting members for role px.error.group.members=Failed getting members for group px.membership=Failed getting role membership px.error.group.membership=Failed getting group membership px.error.group.set=Failed setting group membership px.getting.attribute=Failed getting attribute px.error.command.line=Failed running command line: px.error.search=Failed searching for object type px.error.screen.message=Failed placing screen message px.find=Failed searching for BLTH definitions px.create=Failed creating the BLTH listener px.error.found=No account found Etc...
Cache-Control: no-store, may be used in conjunction with the HTTP header control "Pragma: no-cache", which is less effective, but is HTTP/1.0 backward compatible Implement encryption for the transmission of all sensitive information.
This should include TLS for protecting the connection and may be supplemented by discrete encryption of sensitive files or non-HTTP based connections Prevent disclosure of your directory structure in the file by placing directories not intended for public indexing into an isolated parent directory.
This includes identifying access requirements for both the data and system resources All random numbers, random file names, random GUIDs, and random strings should be generated using the cryptographic module’s approved random number generator when these random values are intended to be un-guessable Do not store passwords, connection strings or other sensitive information in clear text or in any non-cryptographically secure manner on the client side.
This includes embedding in insecure formats like: MS viewstate, Adobe flash or compiled code Disable client side caching on pages containing sensitive information.