|The intentions for this space is to highlight problems, solutions and what to (not) do.|
- Attackers This section will contain a short description of the types of attackers out there.
- Attacks This section will describe known attacks and their enablers.
- Strategy concepts and best practices This section will examine the broader concepts of security, the common denominators of successful security management.
- Standard security measures This section is the hands-on section where well known measures are described and where open source implementations exists, they will be presented.
- Environment This section discusses does not discuss green house effects, rather other potentially harmful effects of the environment where web applications reside.
- Security Resources This section lists resources available on the web; well written articles and different security organisations.
Webapplication security is much more than just firewalls and SSL. It's the practice of building security in. Basically the idea is that it's difficult/impossible to secure an application by putting up a defensive parameter (Hard shell, soft core approach). The main reason this won't work is because it is so difficult to put up a complete defense. Instead the application should be able to handle attacks without falling apart.
Below are some reasons webapp security is difficult:
- Easy access, potential attackers can reside anywhere in the world. The attack surface cannot be controlled and is large.
- Often will Webapps be a frontend or interface for other systems that were not intended to be accessable on a network, like old banking applications. These applications are not developed with a focus on security and are often complex, making it difficult to assess potential security issues. This means that the webapp may be the last line of defence for these systems.
- Developers are generally not educated in the field of software security and todays development techniques has'nt incorporated security as a part of the process.
- Webapps will typically interact with users, other systems and depend upon servers that runs other applications. A weakness in other systems or applications can therefore give attackers a different attack vector and circumvent security measures which were based upon assumptions about the environment.
- Web framework security tactics How frameworks should be handled.
- OWASP Top Ten Project that maintains the ten most serious web application vulnerabilities.