Building Secure Web Applications Infographicveracode.com/blog/2012/06/building-secure-web-applications-inf ographic/
Add this Infographic to Your Website for FREE!Small Version<p><ahref="http://www.veracode.com/products/application-securit...
10. Does the application validate all input including parameters, arguments, cookies, anything read from the network,envir...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws
Upcoming SlideShare
Loading in …5
×

Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws

404 views

Published on

Neglecting to take proper security measures at the application layer is one of the most common causes of data breaches, yet many companies still leave their applications unprotected. Securing your applications begins with developer training on the risks applications face and the methods required for vulnerability prevention. This infographic focuses on defining these risks and combating common flaws.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
404
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Developing Web Applications Securely - How to Fix Common Code Vulnerabilities and Flaws

  1. 1. Building Secure Web Applications Infographicveracode.com/blog/2012/06/building-secure-web-applications-inf ographic/
  2. 2. Add this Infographic to Your Website for FREE!Small Version<p><ahref="http://www.veracode.com/products/application-security-elearning.html"><imgsrc="http://www.veracode.com/blog/wp-content/uploads/2012/05/web-security.jpg"></a></p><p>Infographic by<ahref="http://www.veracode.com/">VeracodeApplicationSecurity</a></p>Large Version<p><ahref="http://www.veracode.com/products/application-security-elearning.html"><imgsrc="http://www.veracode.com/blog/wp-content/uploads/2012/05/web-security.jpg"></a></p><p>Infographic by<ahref="http://www.veracode.com/">VeracodeApplicationSecurity</a></p>Infographic by Veracode Application Securitythe co$t of a data breach averages $5.5 million or $194 per customer recordCompanies that take security seriously by employing a Chief Information Security Officer can reduce the cost per customerrecord by up to 62%.So…what can Web developers be doing to PREVENT these dat a breaches and Web application vulnerabilit ies fromhappening in the first place?The OWASP Top 10 Application Security RisksInjectionCross-Site Scripting (XSS)Broken Authentication and Session ManagementInsecure Direct Object ReferencesCross-Site Request Forgery (CSRF)Security Misconfiguration*Insecure Cryptographic StorageFailure to Restrict URL AccessInsufficient Transport Layer Protection*Unvalidated Redirects and Forwards*May be outside the developer’s controlApplication Security Checklist:(This is not a comprehensive list, as application security is a constant process)1. Does the application properly encode or escape data prior to exchanging it with external components such as a database,LDAP server, web browser, etc?2. Does the application encrypt sensitive information such as authentication credentials, sensitive customer data, etc. prior totransmitting such information across the network?3. Does the application comply with the organization’s existing security standards?4. Does the application use thread-safe techniques to protect against race conditions that could harm system availabilityand/or data integrity?5. Does the application ensure that numeric values are within expected ranges that do not result in unanticipatedconsequences when used in calculations or control structures?6. Does the application properly control access to the server’s file system?7. Does the application use currently accepted, industry-standard cryptographic algorithms?8. Has the application been deployed with secure default permissions?9. Does the application protect against brute force attacks?
  3. 3. 10. Does the application validate all input including parameters, arguments, cookies, anything read from the network,environment variables, request headers, URL components, e-mail, files, database records and any external system thatprovides data to the application?11. Does the application verify the origin of sensitive requests through the use of unpredictable, unique nonces as hidden inputform values?12. Does the application fail gracefully and securely without divulging details of the underlying implementation to the end user?13. Does the application store state information on the server side only or ensure client-side state variables have not beentampered with?14. Does the application perform access control checks in a consistent manner across all potential execution paths?15. Is the application free of hardcoded credentials and cryptographic keys?16. Does the application use sufficient randomness for generating session ids or in other security-sensitive contexts?Specific Examples of How to Combat Two Common FlawsXSS (Cross Site Scripting) FlawsYou May Be Vulnerable If…Input coming into your applications is not validatedOutput to the browser is not properly escapedHow to Prevent ItUse the appropriate escaping method for the context you are in. Here are some examples:HTML encode all user input returned as part of HTMLURL encode all user input returned as part of URLs (convert ?, &, /, <, >, and spaces to their respective URL encodedequals)Convert all user input to a single character encoding before parsingSQL Injection FlawsYou May Be Vulnerable If…Unvalidated user input is concatenated into an ad-hoc SQL queryHow to Prevent ItUse parameterized prepared statementsUse Input Validation for Length, Type, Syntax & Business rulesUse the lowest privilege database account possibleReally Want Secure Web Applications? Security is a Process: Test Everything!Never assume security controls are effective until you can validate them with thorough testing.Most security vulnerabilities will not be discovered during normal application use.Allocate time for dedicated security testing within your project timeline.Always test applications and application components, both in isolation and in the environment where the application isdeployed.Veracode Security Solutions

×