Security guidelines for today's web application

2,231 views
2,107 views

Published on

Guideline for today web application development

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,231
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security guidelines for today's web application

  1. 1. Security Guidelines For Today's Web Applications
  2. 2. Introduction <ul><li>Web application can ranging from online bidding/auction, online ticketing, to online banking. </li></ul><ul><li>Rapid growing of web application is also leading to security issue. </li></ul><ul><li>Web application use to accessing and storing data to database thus it important that security is implement accordingly. </li></ul>
  3. 3. Security guideline for web application <ul><li>Server side user input validation </li></ul><ul><ul><li>Validation on server side, not just client side validation </li></ul></ul><ul><ul><li>Hidden/disabled field must be validated or protected </li></ul></ul><ul><ul><li>Implement stronger encryption, exp: SHA-2 </li></ul></ul><ul><ul><li>Validation during form submission </li></ul></ul><ul><li>Reliable and strong authentication mechanism </li></ul><ul><ul><li>Do not use same password as username </li></ul></ul><ul><ul><li>Password should contain characters, numbers and special characters. </li></ul></ul><ul><ul><li>Limited number of login re-try to prevent brute force attack. </li></ul></ul><ul><ul><li>Authentication done on HTTPS instead of HTTP. </li></ul></ul><ul><ul><li>Prevent ‘forget password’ loop hole, exp: send password to registered email account </li></ul></ul>
  4. 4. Security guideline for web application <ul><li>Reliable and strong authentication mechanism </li></ul><ul><ul><li>Do not use same password as username </li></ul></ul><ul><ul><li>Password should contain characters, numbers and special characters. </li></ul></ul><ul><ul><li>Limited number of login re-try to prevent brute force, exp: lock down after 5 attempt. </li></ul></ul><ul><ul><li>Authentication done on HTTPS instead of HTTP. </li></ul></ul><ul><ul><li>Review ‘forget password’ vulnerabilities, exp: send password to registered email account. </li></ul></ul><ul><ul><li>Do not use GET request for login process. </li></ul></ul><ul><li>Third party component vulnerabilities </li></ul><ul><ul><li>Ensure the component is safe to use and apply patch/upgrade immediately. </li></ul></ul>
  5. 5. Security guideline for web application <ul><li>SQL injection </li></ul><ul><ul><li>One of the trick that always use to hacking. </li></ul></ul><ul><ul><li>Make sure the queries/parameter is protect from SQL injection. </li></ul></ul><ul><ul><li>Implement access control to user ID, exp: read-only access </li></ul></ul><ul><li>Web application review for security vulnerabilities </li></ul><ul><ul><li>Recheck authentication and authorization module for any inconsistent, exp: login or change password module </li></ul></ul><ul><ul><li>do not display debug/error that reveal useful information </li></ul></ul><ul><li>Maintain application audit log </li></ul><ul><ul><li>log for all critical user action </li></ul></ul><ul><ul><li>the log should be place at secure place </li></ul></ul>
  6. 6. Security guideline for web application <ul><li>Session management </li></ul><ul><ul><li>Session ids should not contain sensitive information </li></ul></ul><ul><ul><li>Session ids must protected throughout their lifecycle </li></ul></ul><ul><ul><li>Session ids should be timed-out for inactive session and will expire </li></ul></ul><ul><ul><li>Session ids should be overwritten once the session is logout. </li></ul></ul><ul><li>Prevent Buffer overflow </li></ul><ul><ul><li>Check coding that accept user input and review it to ensure it can identify large input. </li></ul></ul><ul><ul><li>All input field must specify field length and data types </li></ul></ul><ul><ul><li>Limit the amount of text that allow in free form field. </li></ul></ul>
  7. 7. Security guideline for web application <ul><li>XSS (cross site scripting) vulnerabilities </li></ul><ul><ul><li>happen when user supplied parameter is processed by the server and is output to the client again without any re-validate it, thus hacker inject behavior into the attacked application </li></ul></ul><ul><ul><li>Validate all input and output </li></ul></ul><ul><ul><li>Encode HTML character, exp: </li></ul></ul><ul><ul><ul><li>Replace With </li></ul></ul></ul><ul><ul><ul><li>< &lt </li></ul></ul></ul><ul><ul><ul><li>< &gt </li></ul></ul></ul><ul><ul><ul><li>( &#40 </li></ul></ul></ul><ul><ul><ul><li>) &#41 </li></ul></ul></ul><ul><ul><ul><li># &#35 </li></ul></ul></ul><ul><ul><ul><li>& &#38 </li></ul></ul></ul>
  8. 8. Security guideline for web application <ul><li>Administrator alert module </li></ul><ul><ul><li>to detect unusual activities in web application </li></ul></ul><ul><ul><li>alert administrator when a large number of request from same user or IP address </li></ul></ul><ul><ul><li>alert administrator when a large number of error access control from same user. </li></ul></ul><ul><li>Web Application and Server setting </li></ul><ul><ul><li>Verify file and directory permission is assigned correctly </li></ul></ul><ul><ul><li>Disable any service that not require by web application </li></ul></ul><ul><ul><li>Change default username and password for server </li></ul></ul><ul><ul><li>Delete any guest account </li></ul></ul><ul><ul><li>Do not use self-signed SSL </li></ul></ul><ul><ul><li>Closed any unnecessary port </li></ul></ul>
  9. 9. Conclusion <ul><li>Although all guideline is followed while developing a web application but still we cannot just reliable on it and here no fool proof defense. </li></ul><ul><li>Review the code, logic and structure of the web application is a good practice that need to maintain the application security. </li></ul>
  10. 10. THANK YOU <ul><li>Email : [email_address] </li></ul><ul><li>Blog: http://waihong-mobile88.blogspot.com </li></ul>

×