Web Application Security


Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services.

At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.

General Guidlines

  1. Test inputs rigorously and make sure they are validated and sanitized. Think SQL injection.
  2. Store only the information you need (databases, internal variables).
  3. Passwords are not enough. Consider N factor auth.
  4. Negotiate requirements. This is one for management folks. Some requirements could open security holes.
  5. Add Delays. Design software that is fast enough for humans but too slow for brute force bots.
  6. Encrypt everything. While certs are expensive... self signed certs are better than nothing.
  7. Add authentication barriers to separate systems when appropriate. This flies in the face of single sign on schools of thought so tread carefully!
  8. Use well tested libraries, (think openSSL). Don't reinvent the wheel.
  9. Use internal APIs to logically separate functionality.
  10. Bring in pros to audit/critique code/systems.
  11. Use code analyzers to look for semantic and logic issues.
  12. Give permissions that make sense. Balance being to granular with too trusting. You don't want one person having to submit 20 help desk tickets just to use an app. But you don't want an intern who clicks whatever links you put in front of them, to have complete access to something.
  13. Think like a bad guy. Attack yourselves and your code. Hire someone, pay her more than everyone else, and make that her full time job! I know of a few companies that, while they do pen testing, it is at a very basic level and it is a mechanical process. It is like following a script. There is a difference between pen testing and red teaming yourself.
  14. Read the news and professional periodicals. This is a good way to keep abreast of the current threats and trends.
  15. Establish the trust of your customer/user. Do things like provide site keys or phrases that the customer establishes.


  1. http://en.wikipedia.org/wiki/Web_Application_Security
  2. http://www.computerworld.com/s/article/9236503/Safeguard_your_code_17_se...
  3. .htpasswd Encryption Tool
  4. Google Hacking Database (GHDB) (not affiliated with Google)
  5. https://wiki.cse.buffalo.edu/services/content/security
  6. Some tips on writing secure code: http://www.computerworld.com/s/article/9236503/Safeguard_your_code_17_se...