A Guide to Building Secure Web Applications

A Guide to Building Secure Web Applications
Security Guidelines
Validate Input and Output
Fail Securely (Closed)
Keep it Simple
Use and Reuse Trusted Components
Defense in Depth
Good systems don't predict the unexpected, but plan for it. If one component fails to catch a security event, a second one should catch it.

Only as Secure as the Weakest Link
Security By Obscurity Won't Work
Least Privilege
Compartmentalization (Separation of Privileges)
Similarly, compartmentalizing users, processes and data helps contain problems if they do occur. Compartmentalization is an important concept widely adopted in the information security realm. Imagine the same pool man scenario. Giving the pool man the keys to the house while you are away so he can get to the pool house, may not be a wise move. Granting him access only to the pool house limits the types of problems he could cause.

3. How Much Security Do You Really Need?

What are Risks, Threats and Vulnerabilities?

Measuring the Risk

4. Security Guidelines

Validate Input and Output

Fail Securely (Closed)

Keep it Simple

Use and Reuse Trusted Components

Defense in Depth

Only as Secure as the Weakest Link

Security By Obscurity Won't Work

Least Privilege

Compartmentalization (Separation of Privileges)

5. Architecture

General Considerations

Security from the Operating System

Security from the Network Infrastructure

6. Authentication

What is Authentication?

Types of Authentication

Browser Limitations

HTTP Basic

HTTP Digest

Forms Based Authentication

Digital Certificates (SSL and TLS)

Entity Authentication

Infrastructure Authentication

Password Based Authentication Systems

7. Managing User Sessions

Cookies

Persistent vs. Non-Persistent

Secure vs. Non-Secure

How do Cookies work?

What's in a cookie?

Session Tokens

Cryptographic Algorithms for Session Tokens

Appropriate Key Space

Session Management Schemes

Session Time-out

Regeneration of Session Tokens

Session Forging/Brute-Forcing Detection and/or Lockout

Session Re-Authentication

Session Token Transmission

Session Tokens on Logout

Page Tokens

SSL and TLS

How do SSL and TLS Work?

8. Access Control and Authorization

Discretionary Access Control

Mandatory Access Control

Role Based Access Control

9. Event Logging

What to Log

Log Management

10. Data Validation

Validation Strategies

Accept Only Known Valid Data

Reject Known Bad Data

Sanitize All Data

Never Rely on Client-Side Data Validation

11. Preventing Common Problems

The Generic Meta-Characters Problem

Attacks on The Users

Cross-Site Scripting

Attacks on the System

Direct SQL Commands

Direct OS Commands

Path Traversal and Path Disclosure

Null Bytes

Canonicalization

URL Encoding

Parameter Manipulation

Cookie Manipulation

HTTP Header Manipulation

HTML Form Field Manipulation

URL Manipulation

Miscellaneous

Vendors Patches

System Configuration

Comments in HTML

Old, Backup and Un-referenced Files

Debug Commands

Default Accounts

12. Privacy Considerations

The Dangers of Communal Web Browsers

Using personal data

Enhanced Privacy Login Options

Browser History

13. Cryptography

Overview

Symmetric Cryptography

Asymmetric, or Public Key, Cryptography

Digital Signatures

Hash Values

Implementing Cryptography

Cryptographic Toolkits and Libraries

Key Generation

Random Number Generation

Key Lengths