Web Applications These systems need to have a significant amount of time spent on them in the design phase. Why?
Web Application Assume all input is malicious Centralize your approach Do not rely on client-side validation Be careful with canonicalization issues Constrain, Reject and sanitize your input Input
Web Application Validate data for type, length, format and range. Sanitize- Strip excess null characters or spaces etc...
Authentication Web Applications User names and passwords sent over secure channel(SSL) Credentials stored Credentials verified Authentication ticket to verify user after logon(cookie) Separate public and restricted areas. Use account lockout policies for end-user accounts. Support password expiration periods. Be able to disable accounts. Do not store passwords in user stores. Require strong passwords. Do not send passwords over the wire in plaintext. Protect authentication cookies
Authorization Web Applications Use multiple gate keepers Restrict user access to system level resources Consider authorization granularity Hybrid model
Configuration Management Web Applications Secure Administration interfaces Secure your configuration stores Maintain separate administration privileges Use least privileged process and service accounts
Web Application Storing secrets Do not store any keys or passwords in plain text Retrieve data on demand Secure the communication between client and server Do not store data in cookies Sensitive Data
Web Application Use SSL to protect session cookies Encrypt the contents of the authentication cookies Limit session lifetime Session Management