Security Standard for New Software / Application

1. User Account and Password Requirements

1.1. Application must be able to add, delete, change user accounts and reset password.
1.2. User Account
1) Default product/standard application user account must be renamed or disabled.
2) If possible, domain user account in TMB"s active directory system should be
implemented as application user account for this application.
3) User account must be unique.
4) Minimum user account length must be 5 characters.
5) User account must not use words as part of user name (such as *administrator+ or
*adm+) that clearly indicate privileged of user, the position of the individual, or the
organization to which the individual belongs.
6) User account that is not used over 90 days must be automatically disabled or locked
out.
7) User account that is not used over 120 days must be automatically deleted.
8) Application must provide tool or script to create/change/delete the huge number of user
accounts.
1.3 Password
1) Minimum password length must be 8 characters.
2) Application must enforce password containing of at least one uppercase, one lowercase,
one digit and password must not be a repetition of the user account.
3) Password stored in system must be encrypted.
4) Password history must be minimal 6 or maximum value.
5) Maximum password age must be 45 days.
6) Password must be changed upon initial logon.
7) Application must lock out user account which is supplied with 3 consecutive failed
logons.

This Document is the Property of TMB Bank Public Company Limited

Page 1 of 5

2. User Privilege
2.1 Application must segregate or create the administrative roles into 5 preliminary groups as the
following :
1) System : For managing system/software installation & configuration
2) Database : For managing DBMS installation & configuration
3) Application : For managing technical parameters, job scripting, user group definition
4) Business : For managing business parameters
5) Information Security : For managing user account, permission & access configuration
2.2 Application must segregate into user group based on access rights. (e.g. Supervisor, Inquiry,
Maintenance, or Authorize)
2.3 Application must generate the following required periodical report :
1) User and access rights
2) More than 90-day inactive user account
3) Password violation (failed logons)
4) User account management activities: add/change/ delete user account, etc.
3. Session
3.1 Application must enforce to disconnect session after inactivity for maximum 15 minutes
except session for batch processing purpose.
3.2 Application must not allowed user to concurrently log on more than one session.
4. Encryption
4.1. High sensitive data with high-risk disclosure must be encrypted during storage and transfers
via network.
4.2. In case the encryptions/decryptions need to work with existing ones of other TMB systems,
key must be able to compatible with those encryptions/decryptions.
4.3. Key Archiving must be secured and be able to assign the privilege to access the key.
4.4. For Asymmetric-Key Encryption, AES-192 (or Equivalent to or Better than) is required.
4.5. For Symmetric-Key Encryption, RSA-2048 (or Equivalent to or Better than) is required.

This Document is the Property of TMB Bank Public Company Limited

Page 2 of 5

5. Data Integrity
5.1 Input Validation
1) Check for the data type and completeness of data.
2) Check for the feasible range of value; e.g. upper bound, lower bound.
3) Check for the special characters; e.g. < > / & % E * ! = ; , .. - -- % _ ( ) + = # |
[ ] : # / \ $ | %0a %0d ? ^ { } ~ * @@
Use of any special character must be limited as needed.
If special character is required, it must be encoded to the non-executed format, such
as encoding with escape() function, prior to store or proceed.
5.2 Output Validation
1) Ensure the data type of output data.
2) Data that contains special character must be encoded to the non-executed format, such
as encoding with escape() function, prior to display or send out.
5.3 Internal Processing
Application must prevent memory leakage and buffer overflows. For compliance to this
issue, Vendor or Application Developer can propose the official confirmation of memory
leakage and buffer overflows prevention.
6. Data Confidentiality
6.1. Access paths such as trap, back door, shortcut that used to compromise security must not
be allowed to exist at any stage of software development process. For compliance to this
issue, Vendor or Application Developer can propose the official confirmation of non-existing
unauthorized access paths at such stages.
6.2. Password must not be included in clear text in any automated logon process or logon script.
6.3. In case of data transfers between hosts, data must be encrypted during transmission or using
SCP/SFTP instead of FTP.
6.4. For error handling, screen must not display other information such as path, version or file
name except normal error message.
6.5. Program source libraries and unused files must not be stored in production environments.

This Document is the Property of TMB Bank Public Company Limited

Page 3 of 5

6.6. Application must display warning banner or message on log-on screen prior to supply user
account and password.
6.7. Application must prevent SQL Injection attack.
6.8. For Web Application
1) TLS v1 or SSL v3 must be implemented to secure connection between server and client
when logons to web application.
2) Using HTTPs request with GET method to transfer sensitive parameters must not be
allowed.
3) Application must prevent Cross-Site Scripting attack.
4) After sensitive information on web page is submitted, those information must not be
displayed again when clicking *Back+ button.
5) In case of file downloading, file name must be clearly specified and prevent using Null
String for downloading other information.
6) Accessing to administrative log-on screen from Internet must not be allowed.
7) Application should pass the acceptance test of vulnerability assessment.
7. Application Logging
7.1. Application log must store the following compulsory application activities/events :
1) logon/logoff
2) add/delete/change user account, add/delete member of group, user account disabling,
user account unlocks
3) transactions (when, who, where, what)
7.2. Application log must be readable and field-formatted text.
7.3. Application log must be configured to automatically transmit to centralized log server. (realtime or periodically)
8. Recovery
8.1 Application must provide system and data backups.
8.2 Application must provide disaster recovery process for service continuity.

This Document is the Property of TMB Bank Public Company Limited

Page 4 of 5

9. Application must prevent the following Top Ten Risks in the /OWASP TOP 10 Web Application
Security Risks for 20104 document that provided by OWASP (Open Web Application Security
Project)
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Note 1: Concerning to Secure Coding and Following the Best Pratice of Software Development are
required.
Note 2: For more details, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

10. Deviation
In case of being unable to comply with any requirements in this security standard, the
deviation for those issues must be conducted following TMB deviation procedure.

This Document is the Property of TMB Bank Public Company Limited

Page 5 of 5