• Save
Security guidelines for today's web application
Upcoming SlideShare
Loading in...5
×
 

Security guidelines for today's web application

on

  • 2,605 views

Guideline for today web application development

Guideline for today web application development

Statistics

Views

Total Views
2,605
Views on SlideShare
2,589
Embed Views
16

Actions

Likes
1
Downloads
0
Comments
0

4 Embeds 16

http://waihong-mobile88.blogspot.com 11
http://www.slideshare.net 2
http://waihong-mobile88.blogspot.in 2
http://waihong-mobile88.blogspot.co.uk 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security guidelines for today's web application Security guidelines for today's web application Presentation Transcript

  • Security Guidelines For Today's Web Applications
  • Introduction
    • Web application can ranging from online bidding/auction, online ticketing, to online banking.
    • Rapid growing of web application is also leading to security issue.
    • Web application use to accessing and storing data to database thus it important that security is implement accordingly.
  • Security guideline for web application
    • Server side user input validation
      • Validation on server side, not just client side validation
      • Hidden/disabled field must be validated or protected
      • Implement stronger encryption, exp: SHA-2
      • Validation during form submission
    • Reliable and strong authentication mechanism
      • Do not use same password as username
      • Password should contain characters, numbers and special characters.
      • Limited number of login re-try to prevent brute force attack.
      • Authentication done on HTTPS instead of HTTP.
      • Prevent ‘forget password’ loop hole, exp: send password to registered email account
  • Security guideline for web application
    • Reliable and strong authentication mechanism
      • Do not use same password as username
      • Password should contain characters, numbers and special characters.
      • Limited number of login re-try to prevent brute force, exp: lock down after 5 attempt.
      • Authentication done on HTTPS instead of HTTP.
      • Review ‘forget password’ vulnerabilities, exp: send password to registered email account.
      • Do not use GET request for login process.
    • Third party component vulnerabilities
      • Ensure the component is safe to use and apply patch/upgrade immediately.
  • Security guideline for web application
    • SQL injection
      • One of the trick that always use to hacking.
      • Make sure the queries/parameter is protect from SQL injection.
      • Implement access control to user ID, exp: read-only access
    • Web application review for security vulnerabilities
      • Recheck authentication and authorization module for any inconsistent, exp: login or change password module
      • do not display debug/error that reveal useful information
    • Maintain application audit log
      • log for all critical user action
      • the log should be place at secure place
  • Security guideline for web application
    • Session management
      • Session ids should not contain sensitive information
      • Session ids must protected throughout their lifecycle
      • Session ids should be timed-out for inactive session and will expire
      • Session ids should be overwritten once the session is logout.
    • Prevent Buffer overflow
      • Check coding that accept user input and review it to ensure it can identify large input.
      • All input field must specify field length and data types
      • Limit the amount of text that allow in free form field.
  • Security guideline for web application
    • XSS (cross site scripting) vulnerabilities
      • happen when user supplied parameter is processed by the server and is output to the client again without any re-validate it, thus hacker inject behavior into the attacked application
      • Validate all input and output
      • Encode HTML character, exp:
        • Replace With
        • < &lt
        • < &gt
        • ( &#40
        • ) &#41
        • # &#35
        • & &#38
  • Security guideline for web application
    • Administrator alert module
      • to detect unusual activities in web application
      • alert administrator when a large number of request from same user or IP address
      • alert administrator when a large number of error access control from same user.
    • Web Application and Server setting
      • Verify file and directory permission is assigned correctly
      • Disable any service that not require by web application
      • Change default username and password for server
      • Delete any guest account
      • Do not use self-signed SSL
      • Closed any unnecessary port
  • Conclusion
    • Although all guideline is followed while developing a web application but still we cannot just reliable on it and here no fool proof defense.
    • Review the code, logic and structure of the web application is a good practice that need to maintain the application security.
  • THANK YOU
    • Email : [email_address]
    • Blog: http://waihong-mobile88.blogspot.com