The goal of application security:
To prevent unauthorized
disclosure, alteration and destruction of data whenever it is
stored,processed or transmitted.
Firewall and SSL doesn't prevent all.
9 key considerations:
Sensitive Data
Understand the data. If your application handles cardholder data, ensure Payment Card Industry requirements are met.
Limit the amount of sensitive data stored.
Authentication
authentication infrastructures.
Session Management
Use SSL to create a secure communication channel.Always protect sensitive session information with cryptography.
For web cookies, set the secure flag to TRUE.Set sensitive session cookies to avoid exposure through HTTP.
Ensure session tokens are not easy to guess.
Use HttpOnly to minimize exposure in the event of an XSS vulnerability.
Avoid setting or exposing sessions through GET and POST requests.
Implement logout functionality
Limit the lifetime of session tokens
Authorization
Apply the principle of least privilege(Who has access, Type of access, Duration of access)
Ensure default Access Control Lists(ACLs) don't give too much access.
Perform role checks before allowing access to operations that could reveal sensitive data.
Perform periodic reviews of authorization lists and permissions.
Input validation(sql injection, XSS, buffer overflow, JSON data, upload file)
Assume all input is malicious.
Perform data validation at input points as well as just before use in the processing component
Do not accept commands from the user unless you parse and validate
Be aware of special commands, characters and quoting
Check authorization before acting.
sql injection:
Parameterize database queries or use stored procedure calls if they're permitted.
Classic business logic checking(data type, length, range, content checking)
For legacy code where parameterize or sp calls aren't possible, sanitization can be considered.
XSS:
Never insert untrusted data into an open Javascript region or style element or tag element or HTML comment.
Use HTMLEncode and URLEncode or IVEncoder to encode output that includes user input.
buffer overflow:
validate the legth of data
Use the "safe" versions of libraries.
Some compilers and OS have feature to help.
JSON data:
Never pass to eval() function without confirm it is syntactically valid JSON.
Whenever possible, a JSON-specific function should be used.
upload file:
permit execution by file extensions or file permission settings.
Is a .JPG file really a valid JPEG file?
limit the size of a file
Tools:
WebInspect:ASTA
Fiddler: Users can view and manipulate both requests and responses
Parameter Manipulation
Use session identifiers to reference state stored on the server side rather than using hidden form fields
Protect hidden form fields using a technique like a cryptographic hash with a secret key known only on the server side, such as an HMAC.
Cryptography
Without proper key management, cryptography is useless.
Ensure information is protected as required by the cryptography policy.
Do not develop your own cryptography algorithms.
Auditing and logging
Do log key events such as transactions, login and logout events
Do log critical application operations
Do backup log files
Do inspect log files
Don't log session ID's
Don't log PII(Personally Identifiable Information)
Do not permit shared accounts
Exception handling
Use exception handling throughtout the code base.
Fail secure: sanitize sensitive data in all cases especially in failure situations.
Return generic, harmless error messages to the client.
Configuration Management
Ensure application patches are appropriately applied as these may not covered by HPIT.
Ensure the platform is hardened.
Minimize number of administration interfaces & limit administrative access
Use appropriate authentication & authorization before permitting cofiguration changes
Ensure logging includes configuration changes
分享到:
相关推荐
《Web Application Security》一书深入探讨了Web应用程序安全这一关键领域。在当今互联网时代,Web应用已经成为企业、组织和个人互动的主要平台,但同时也成为黑客攻击的主要目标。理解并实施有效的安全措施是保护...
本书《Developer’s Guide to Web Application Security》(开发者指南:Web应用安全)旨在为安全专业人士和Web应用开发人员提供一个全面的指南,帮助他们了解如何防御最脆弱的应用程序。 #### 二、市场背景与需求...
本文将深入探讨网络安全的核心概念,包括一般安全问题、Web层级的安全需求与方案,以及几种常见的Web层级安全策略。 ### 一般安全问题 #### 身份验证(Authentication) 身份验证是网络安全中的首要任务,它确保...
本资源围绕“Web Application Security”展开,通过思维导图的形式,详细梳理了Web应用安全相关的知识点,旨在帮助读者理解和掌握如何预防和解决Web应用中的安全漏洞。 XSS(Cross-Site Scripting,跨站脚本攻击)...
OWASP(Open Web Application Security Project)是一个非营利组织,致力于提高公众对Web应用安全的认识。其发布的OWASP Top 10是最具影响力的Web应用安全风险列表,总结了当前最常见且最具破坏性的安全问题。这十大...
web-application-security-testing web-application-security-testing
《Web安全测试》内容简介: 《Web安全测试》中的秘诀所覆盖的基础知识包括了从观察客户端和服务器之间的消息到使用脚本完成登录并执行Web应用功能的多阶段测试。在《Web安全测试》的最后,你将能够建立精确定位到...
OWASP Top 10是Open Web Application Security Project(开放式Web应用安全项目)发布的Web应用安全Top 10攻击类型。这些攻击类型包括: 1.Injection(注入攻击):攻击者通过向Web应用程序输入恶意数据,来执行...
OWASP Web Application Security Testing Checklist
Web Application Security
【Web Application Security Issues】部分,介绍了Web 1.0和Web 2.0应用程序的攻击手段对比,展示了随着技术的发展,攻击方式也变得更加复杂多样。此外,还涉及到Web应用程序安全模型,如服务器端操作系统、Web服务...
OWASP(Open Web Application Security Project)开放网络应用安全项目是一个全球自由开放的社区,通过其社区主导的开源软件项目、全球数百个分会、数万名成员以及举办本地和全球会议,致力于提高应用软件的安全性...
总结来说,WebSphere Application Server 6.1的安全性是其强大功能的重要组成部分,结合了Java 2的安全特性和J2EE标准,提供了一个全面的、可配置的安全框架,以保护企业级应用的数据和流程。无论是对用户认证的控制...
「WEB应用防火墙」Developmentand_Application_of_Cybersecurity_Technology_in_a_Challenging_Context - web安全 信息安全 业务安全 漏洞分析 安全培训 安全漏洞
OWASP(Open Web Application Security Project,开放网络应用程序安全项目)是一个国际性的非营利组织,致力于提高软件安全性。自2003年起,OWASP每几年都会发布一次关于Web应用程序的十大安全风险报告,旨在帮助...
《Hacking the Code ASP.NET Web Application Security》这本书深入探讨了ASP.NET Web应用程序的安全性问题,旨在帮助开发者构建更安全的Web应用,防止黑客攻击。书中的内容覆盖了用户管理、身份验证与授权等多个...