- · Development teams must take care to follow secured coding guidelines to ensure that data is kept private and confidential via encryption.
- Coding teams must also ensure that the data being passed into a web site will take a number of factors into consideration including how users or device are authenticated.
- Application should design by taking care of security considerations. To design the secure application; we have to take consideration of below things.
o Authentication
o Authorized access and access control
o Data input checking and validation
o Session management
o Encryption
o Auditing and logging
- While design secure application various application vulnerabilities should take care like
o Insecure direct object references
o XSS (cross site scripting)
o Cross-Site Request Forgery(CSRF)
o Click-Jacking
o SQL injection
- Error & Exception handling should be done properly and they could display an appropriate message or take an appropriate course of action when error occurred in application
- Taking consideration of Privilege escalation - means a user is gaining more rights than were intended within application.
o Vertical Privilege Escalation: User is getting more permissions or rights than originally intended.
o Horizontal Privilege Escalation: User authenticated to an application figures out a way to impersonate another user with equal security rights.
- Fuzzing/Fault injection: In testing phase of application; we could feed an application random or unexpected data. The Reason, we would do this in testing is so that we can monitor that application and observe its results.
- Memory leaks, buffer overflows, and integer overflow should be handled properly to prevent damage of network security.
- Proper checks should be put in place by the application developer for Race conditions, resource exhaustion.
- While working with web service; WS-security should be implemented to securely transmit from the client browses client-side to the web application or service running server-side. It is accomplished by transmission of data over HTTPS, encryption of data or using SAML token.
- Secure coding standards like OWASP should be used by developers to ensure secure of web application and it should be incorporated at every step of the System Development Life Cycle.
- Specific application issues:
- Session management
- Http is session-less
- Security tokens
- HTTP cookies
- Flash Locally Store
- Improper storage of sensitive data- passwords ,key ,PKI certificates
- Secure cookie storage and transmission