12 September 2008

Procedures

Posts relating to the category tag "procedures" are listed below.

12 September 2008

Keep The Emails Coming

Web site managers should be checking that enquiries, feedback and other user input sent from the web site by email is working. But lesser used functions such as error reporting may also send messages by email - these should be tested regularly as well.

Many transactional web sites (also called "web applications") will use email alert messages for internal processes such as:

  • System errors
  • Unusual or inconsistent transactions
  • Missing content (not found) requests
  • Accounts locked out

They should be tested in the same way as normal business processes:

  • Is the alert raised when the appropriate event occurs?
  • Does the message get sent to the mail server?
  • Does the intended recipient receive the message?
  • Was the message recorded, analysed and resolved/escalated in a timely manner?

Remember to ensure the messages are not subject to filtering, modification or delay.

A humourous example appeared in last week's Deep Trouble, a comedy from BBC Radio 4 set in the future on board a Royal Navy nuclear stealth submarine - the crew were surprised that an incoming message had been received since it looked like spam. It turned out that the junk mail filter was turned off, the message was from the Admiral and it contained a secret NATO code phrase "PRIZE HAMPER" to authenticate the sender.

Let's hope "PRIZE HAMPER" doesn't get this blog post blacklisted.

Posted on: 12 September 2008 at 06:35 hrs

Comments Comments (0) | Permalink | Send Send 

26 August 2008

Issuing Web Site User Names Safely

I am often asked how to select and then send out web site login user names. If you have a relatively small number of users and they don't change often, don't get complicated - just send them in the post.

User names identify an individual during authentication processes like logging on. Self-registration systems can often be used to help guess current ones.

But if you have a known set of users such as customers, members or clients, select the user names yourself, don't use the internet (such as email) to communicate these to the users. Transfer them some other way ("out-of-band" is security jargon), perhaps using conventional post, signed for on receipt, to an address you already have on record, by hand (perhaps at an event or conference) or possibly by telephone or fax.

It's also better to disable user accounts which are not used within a reasonable period of the communication being sent as this may indicate the address was incorrect.

Posted on: 26 August 2008 at 09:49 hrs

Comments Comments (0) | Permalink | Send Send 

Procedures : Web Security, Usability and Design
http://www.clerkendweller.com/procedures

Page http://www.clerkendweller.com/procedures
Requested by 38.103.63.60 on Wednesday, 7 January 2009 at 13:43 hrs (London date/time)

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2009 clerkendweller.com