Obviously it’s valuable and often necessary to test applications for security risks. But after years of exposure to the ominous problem of securing applications I’ve come up with ten ways, anyone tasked with application security in the Web 2.0 world, can employ best practices for developing and deploying their applications – simply and effectively– take a look. Of course there are many more but this is the top things one should do. It’s prudent to test and there are many options from open source testing to off-the-shelf software that does a good job.
1. Secure your site from parameter tampering
To prevent parameter tampering all parameters should be validated before they are used. Every parameter should be checked for strict adherence to a format that specifies exactly what inputs will be allowed. Commonly known approaches of blacklisting and filtering certain bad input are not very effective and they are difficult to maintain. In many cases it is more secure to check for valid inputs rather than invalid inputs.
2. Expire session immediately.
Enforce server side session termination, both after logout and after a timeout period.
Session identifiers should expire immediately after logout and should not be reusable afterwards.
3. Serve authentication credentials and important form data over SSL.
All authentication credentials, session identifiers and any important user data from forms should be protected with SSL at all times.
4. Access control
One common type of access control problem is administrative interfaces that allow site administrators to manage a site over the Internet. Due to their power, these interfaces are frequently prime targets for attack general recommendation in this case is to use routines for session management and user tracking and to reissue new Session IDs whenever a user changes their authentication level.
5. Enforce server side validation
Implement server side validation to protect your web application from input validation type attacks. Client side validation is a good practice but it is not enough to keep unexpected input from getting in. Using any proxy tool you can capture an http request and manipulate it after it has gone through client validation. Ensure that your web application validates all forms, headers, cookie fields, hidden fields, parameters, and converts scripts and script tags to a form that will not be in an executable form. All data should have input as well as output filtering. If possible control characters and metacharacters such as <>,.?^&?/\~’”-() should be completely removed from a user’s input.
6. Patch servers
Make sure your application server is current with all the relevant security patches. Keep up with the latest bug reports for your web and application server and other related products in your infrastructure. Apply the latest patches to these products.
7. Graceful error handling
Error handling is among the most commonly discovered vulnerabilities. Such error messages can reveal detailed internal error messages such as stack traces, error codes and implementation details that should never be disclosed. Such details can provide hackers important clues on potential flaws in the site. Out of memory, null pointer exceptions, system call failure, database unavailable, network timeout, and hundreds of other common conditions can cause errors to be generated. These errors must be handled gracefully to provide a meaningful error message to the user and diagnostic information to the site maintainers, while not revealing useful information to an attacker.
8. Control form caching after logout
Form content caches reveal information by providing access to previous form field entries and other sensitive information even though the authorized user may have logged out. Disable caching on a page by setting the “Pragma: No-cache” and “Cache-control: No-cache” HTTP Header values. Implement security practices that include authorization checks for such requests. Use scripts that first perform authorization checks (valid session cookies) and then reply with the content in the http response.
9. Turn off password autocomplete
This type of vulnerability is particularly important for applications that are accessable from shared or public computing environments where users may inadvertantly allow their password to be cached. In more controlled access environments this vulnerability may not be an issue. The Password Autocomplete vulnerability occurs when password fields do not have the ‘autocomplete’ attribute set to ‘off’. This can allow browser caching of password entries on a page, which can enable attackers to discover and abuse passwords.
10. Enforce password strength
Passwords should be hard to guess and this can be done by introducing restrictions that require passwords to have a minimum length and mixtures of Numeric, alphabetic and special characters to increase the complexity.
Posted by Sameer Dixit at Cenzic, Inc.
A very very strong and sound suggestions. Web Application security is one of the weakest links nowadays. I hope people read and learn!
Posted by: software testing training | July 22, 2010 at 03:10 AM
I have not doubts this is gonna be very useful for me, due to the fact I have a blog, and I honestly had not idea which the correct method to deploy a a SWA was. Fortunately I found your blog...
I have not doubts from now on I'm not gonna have issues to install this security system.
Posted by: Viagra Online | November 02, 2010 at 02:08 PM
Great tips, the company I work for recently worked with a consulting firm who sent in an IT rep who told us similar things. So far they've each paid off.
Posted by: FMCG | November 11, 2010 at 11:43 AM
I have not doubts now that i'm not gonna have issues to install this security system but some times, well you know windows is crap, but many times the damn windows shows me a lot of errors...
Posted by: generic viagra | April 08, 2011 at 09:04 AM
Post a comment
Comment below or sign in with TypePad Facebook Twitter and more...
Posted by: Discount Cigarettes | April 15, 2011 at 07:35 AM
This blog is fantastic, I hadn't seen any similar before. I have to accept I found it out by a lucky stroke, but I'm impacted with its quality. I hope you continue posting with the same passion you did it here.
Posted by: pharmacy | August 31, 2011 at 09:21 AM