Monday, May 25, 2015

Web application security design considerations


  • ·         Development teams must take care to follow secured coding guidelines to ensure that data is kept private and confidential via encryption.
  •            Coding teams must also ensure that the data being passed into a web site will take a number of factors into consideration including how users or device are authenticated.
  •   Application should design by taking care of security considerations. To design the secure application; we have to take consideration of below things.
o   Authentication
o   Authorized access and access control
o   Data input checking and validation
o   Session management
o   Encryption
o   Auditing and logging

  • While design secure application various application vulnerabilities should take care like

o   Insecure direct object references
o   XSS (cross site scripting)
o   Cross-Site Request Forgery(CSRF)
o   Click-Jacking
o   SQL injection
  • Error & Exception handling should be done properly and they could display an appropriate message or take an appropriate course of action when error occurred in application
  • Taking consideration of Privilege escalation - means a user is gaining more rights than were intended within application.
o   Vertical Privilege Escalation: User is getting more permissions or rights than originally intended.
o   Horizontal Privilege Escalation: User authenticated to an application figures out a way to impersonate another user with equal security rights. 
  •   Fuzzing/Fault injection: In testing phase of application; we could feed an application random or unexpected data. The Reason, we would do this in testing is so that we can monitor that application and observe its results.
  •   Memory leaks, buffer overflows, and integer overflow should be handled properly to prevent damage of network security.
  •  Proper checks should be put in place by the application developer for Race conditions, resource exhaustion.
  • While working with web service; WS-security should be implemented to securely transmit from the client browses client-side to the web application or service running server-side. It is accomplished by transmission of data over HTTPS, encryption of data or using SAML token.
  •  Secure coding standards like OWASP should be used by developers to ensure secure of web application and it should be incorporated at every step of the System Development Life Cycle.
  • Specific application issues:
      • Session management
      • Http is session-less
      • Security tokens
      • HTTP cookies
      • Flash Locally Store
      • Improper storage of sensitive data- passwords ,key ,PKI certificates
      • Secure cookie storage and transmission


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)