Recent Edits


MySQL	4 days 4 hours ago
OnGuard Card Access	5 days 11 hours ago
MATLAB	5 weeks 6 days ago
National Science Foundation (NSF) Facilities Statement	6 weeks 5 days ago
How to Password-Protect a Web Page using Secure LDAP Authentication	7 weeks 4 days ago
AutoGrader/Autolab	9 weeks 4 days ago
Cadence License Server	11 weeks 3 days ago
OCaml Admin	12 weeks 6 days ago
Submit Script Setup Letter	14 weeks 9 hours ago
How to Install the OnGuard Desktop Client	32 weeks 12 hours ago

MySQL

4 days 4 hours ago

OnGuard Card Access

5 days 11 hours ago

MATLAB

5 weeks 6 days ago

National Science Foundation (NSF) Facilities Statement

6 weeks 5 days ago

How to Password-Protect a Web Page using Secure LDAP Authentication

7 weeks 4 days ago

AutoGrader/Autolab

9 weeks 4 days ago

Cadence License Server

11 weeks 3 days ago

OCaml Admin

12 weeks 6 days ago

Submit Script Setup Letter

14 weeks 9 hours ago

How to Install the OnGuard Desktop Client

32 weeks 12 hours ago

Web Application Security

Introduction

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services.

At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.

General Guidlines

Test inputs rigorously and make sure they are validated and sanitized. Think SQL injection.
Store only the information you need (databases, internal variables).
Passwords are not enough. Consider N factor auth.
Negotiate requirements. This is one for management folks. Some requirements could open security holes.
Add Delays. Design software that is fast enough for humans but too slow for brute force bots.
Encrypt everything. While certs are expensive... self signed certs are better than nothing.
Add authentication barriers to separate systems when appropriate. This flies in the face of single sign on schools of thought so tread carefully!
Use well tested libraries, (think openSSL). Don't reinvent the wheel.
Use internal APIs to logically separate functionality.
Bring in pros to audit/critique code/systems.
Use code analyzers to look for semantic and logic issues.
Give permissions that make sense. Balance being to granular with too trusting. You don't want one person having to submit 20 help desk tickets just to use an app. But you don't want an intern who clicks whatever links you put in front of them, to have complete access to something.
Think like a bad guy. Attack yourselves and your code. Hire someone, pay her more than everyone else, and make that her full time job! I know of a few companies that, while they do pen testing, it is at a very basic level and it is a mechanical process. It is like following a script. There is a difference between pen testing and red teaming yourself.
Read the news and professional periodicals. This is a good way to keep abreast of the current threats and trends.
Establish the trust of your customer/user. Do things like provide site keys or phrases that the customer establishes.

References

http://en.wikipedia.org/wiki/Web_Application_Security
http://www.computerworld.com/s/article/9236503/Safeguard_your_code_17_se...
.htpasswd Encryption Tool
Google Hacking Database (GHDB) (not affiliated with Google)
https://wiki.cse.buffalo.edu/services/content/security
Some tips on writing secure code: http://www.computerworld.com/s/article/9236503/Safeguard_your_code_17_se...

UB CSE IT Service Catalog

Login with your UBIT Credentials

Recent Edits

Web Application Security

Introduction

General Guidlines

References

Search

Web