Академический Документы
Профессиональный Документы
Культура Документы
Applications
The NUIT Guide to Securing Web Applications was developed as a resource for
web application developers, testers, and the Information Security Office. In
particular, the guide is meant to:
Policy Statement:
Secure Web Applications and Coding
Secure coding is the practice of writing code for systems, applications and web pages in
such a way as to ensure the confidentiality, integrity and accessibility of data and
information related to those systems. Programmers fluent in secure coding practices can
avoid common security flaws in programming languages and follow best practices to
help avoid the increasing number of targeted attacks that focus on application
vulnerabilities.
The ISO recommends that all developers attend a secure coding class.
Secure coding practices, in conjunction with pre-production and ongoing testing via
ISO’s Information Security Vulnerability and Web Application Assessment Programs,
help to ensure that applications are developed and maintained with a minimum exposure
to known security vulnerabilities. When secure coding practice is applied throughout
the development life cycle, the benefits can be: minimal impact to project
implementation dates and schedules; reduced exposure to compromise; and overall
improvements to risk management.
Developers should utilize the “OWASP Top Ten” list to guide their secure coding
efforts. The OWASP Top Ten details the most common web application security
vulnerabilities, including basic methods to protect against these vulnerabilities.
For web application assessment, the ISO uses Quayls, an automated web application
and web services vulnerability assessment tool that is specifically designed to assess
potential security flaws and to provide all the information needed to fix them. As an
assessment is initiated, Quayls assigns "assessment agents" that dynamically catalog all
areas of a Web application. As these agents complete the assessment, findings are
reported to a main security engine that analyzes the results.
Quayls then launches audit engines to evaluate the gathered information and apply
attack algorithms to locate vulnerabilities and determine their severity. Manual
assessment using Quayls is also possible for in-depth testing. Reporting is provided in
the mail GUI console and as stand alone reports in numerous formats.
Recommendations
The following descriptions refer to the sections in the OWASP Web Guide
Project document.
Web Services
This section deals with the common issues facing web developers as they work to build
secure web apps, whether that includes Java, pHp, AJAX or other web languages and/or
technologies.
Authentication
This section deals with authentication issues associated with secure web apps, such as
basic/digest authentication, form-based authentication, integrated (SSO) authentication,
etc.
Authorization
This section addresses authentication issues, ensuring a user has the appropriate
privileges to view a resource. Topics such as principle of least privilege, client-side
authorization tokens, etc. are addressed here.
Session Management
This section addresses topics such as authenticated users having a robust and
cryptographically secure association with their session, applications enforcing
authorization checks and applications avoiding or preventing common web attacks, such
as replay, request forging and man-in-the-middle.
Data Validation
This section deals with applications being robust against all forms of input data,
whether obtained from the user, infrastructure, external entities or databases.
Interpreter Injection
This section addresses application issues so they are secure from well-known parameter
manipulation attacks against common interpreters.
Distributed Computing
This section deals with synchronization and remote services to web applications, by
hardening applications against:
Buffer Overflow
This section addresses issues such as:
Administrative Interfaces
This section addresses issues such that:
Cryptography
This section helps to ensures that cryptography is safely used to protect the
confidentiality and integrity of sensitive user data
Configuration
This section is focused on creating secure web applications which are as well-built and
secure out-of-the-box as possible.
Deployment
This section deals with the issues surrounding secure deployment of web applications.
Maintenance
This section addresses issues such as:
July 2012
Revision Dates:
December 2016
June 2008
Additional Information:
Guidelines for Securing Web Applications and
Secure Coding
OWASP and other sites detailed here are excellent references for information
on Web application security and secure coding.