![]() | The intentions for this space is to highlight problems, solutions and what to (not) do. |
- Attackers This section will contain a short description of the types of attackers out there.
- Attacks This section will describe known attacks and their enablers.
- Strategy concepts and best practices This section will examine the broader concepts of security, the common denominators of successful security management.
- Standard security measures This section is the hands-on section where well known measures are described and where open source implementations exists, they will be presented.
- Environment This section discusses does not discuss green house effects, rather other potentially harmful effects of the environment where web applications reside.
- Security Resources This section lists resources available on the web; well written articles and different security organisations.
Webapp security
Webapplication security is much more than just firewalls and SSL. It's the practice of building security in. Basically the idea is that it's difficult/impossible to secure an application by putting up a defensive parameter (Hard shell, soft core approach). The main reason this won't work is because it is so difficult to put up a complete defense. Instead the application should be able to handle attacks without falling apart.
The underlying problems
Below are some reasons webapp security is difficult:
- Easy access, potential attackers can reside anywhere in the world. The attack surface cannot be controlled and is large.
- Often will Webapps be a frontend or interface for other systems that were not intended to be accessable on a network, like old banking applications. These applications are not developed with a focus on security and are often complex, making it difficult to assess potential security issues. This means that the webapp may be the last line of defence for these systems.
- Developers are generally not educated in the field of software security and todays development techniques has'nt incorporated security as a part of the process.
- Webapps will typically interact with users, other systems and depend upon servers that runs other applications. A weakness in other systems or applications can therefore give attackers a different attack vector and circumvent security measures which were based upon assumptions about the environment.
Different sources and how security should be incorporated into practice.
- Web framework security tactics How frameworks should be handled.
- OWASP Top Ten
Project that maintains the ten most serious web application vulnerabilities.
Page:
Attackers
Page:
CSRF
Page:
Attacks
Page:
Environment
Page:
Incorporating best security practices in development
Page:
Input Validation
Page:
Security Resources
Page:
Standard security measures
Page:
Strategy concepts and best practices
Page:
Web framework security tactics
Page:
Java SSL - Keystores
Page:
Output Encoding
Page:
Tomcat production setup
Page:
Audit log
Page:
Identity Management
Page:
Web Application Security
Page:
RESTful authentication
Page:
IoT Security
2 Comments
comments.show.hideJan 22, 2009
Thomas Ferris Nicolaisen
Good list of the top 25 programming security mistakes:
http://www.codinghorror.com/blog/archives/001210.html
May 05, 2009
Thomas Ferris Nicolaisen