Guide to Securing Web Applications

The NUIT Guide to Securing Web Applications was developed as a resource for web application developers, testers, and the Information and Systems Security/Compliance (ISS/C) department. In particular, the guide is meant to:

  • Provide sound application development guidance for application developers so that web applications may be designed with security in mind.
  • Provide guidance for application developers on testing existing web applications for security vulnerabilities (such as buffer overflows, cross site scripting, etc.).
  • Encourage developers to obtain secure coding education/instruction.
  • Provide guidance for ISS/C personnel on testing web applications for security vulnerabilities.

Policy Statement:

Secure Web Applications and Coding

Secure coding is the practice of writing code for systems, applications and web pages in such a way as to ensure the confidentiality, integrity and accessibility of data and information related to those systems. Programmers fluent in secure coding practices can avoid common security flaws in programming languages and follow best practices to help avoid the increasing number of targeted attacks that focus on application vulnerabilities.

ISS/C recommends that all developers attend a secure coding class, such as the SANS Secure Coding: Developing Defensible Applications course.

Secure coding practices, in conjunction with pre-production and ongoing testing via ISS/C’s Information Security Vulnerability and Web Application Assessment Programs, help to ensure that applications are developed and maintained with a minimum exposure to known security vulnerabilities. When secure coding practice is applied throughout the development life cycle, the benefits can be: minimal impact to project implementation dates and schedules; reduced exposure to compromise; and overall improvements to risk management.

Developers should utilize the “OWASP Top Ten” list to guide their secure coding efforts. The OWASP Top Ten details the most common web application security vulnerabilities, including basic methods to protect against these vulnerabilities.

See the OWASP web site for the current list.

For web application assessment, ISS/C uses WebInspect, an automated Web application and Web services vulnerability assessment tool that is specifically designed to assess potential security flaws and to provide all the information needed to fix them. As an assessment is initiated, WebInspect assigns "assessment agents" that dynamically catalog all areas of a Web application. As these agents complete the assessment, findings are reported to a main security engine that analyzes the results.

WebInspect then launches audit engines to evaluate the gathered information and apply attack algorithms to locate vulnerabilities and determine their severity. Manual assessment using WebInspect is also possible for in-depth testing. Reporting is provided in the mail GUI console and as stand alone reports in numerous formats.

More information on the ISS/C Vulnerability Assessment and Web Application Assessment Programs may be found on the NUIT Vulnerability Assessment Program page.

Recommendations

The following descriptions refer to the sections in the OWASP Web Guide Project document.

These references provide general guidance to the technologies addressed in these sections and the specific recommendations contained therein.

1. Building Secure Web Services and AJAX Topics

Web Services

This section deals with the common issues facing web developers as they work to build secure web apps, whether that includes Java, pHp, AJAX or other web languages and/or technologies.

2. Secure Web Application and Secure Coding Topics

Authentication

This section deals with authentication issues associated with secure web apps, such as basic/digest authentication, form-based authentication, integrated (SSO) authentication, etc.

Authorization

This section addresses authentication issues, ensuring a user has the appropriate privileges to view a resource. Topics such as principle of least privilege, client-side authorization tokens, etc. are addressed here.

Session Management

This section addresses topics such as authenticated users having a robust and cryptographically secure association with their session, applications enforcing authorization checks and applications avoiding or preventing common web attacks, such as replay, request forging and man-in-the-middle.

Data Validation

This section deals with applications being robust against all forms of input data, whether obtained from the user, infrastructure, external entities or databases.

Interpreter Injection

This section addresses application issues so they are secure from well-known parameter manipulation attacks against common interpreters.

Canoncalization, Locale and Unicode

This section addresses issues that help to ensure the application is robust when subjected to encoded, internationalized and Unicode input.

Error Handling, Auditing and Logging

This section deals with designing well-written applications that have dual-purpose logs and activity traces for audit and monitoring. This makes it easy to track a transaction without excessive effort or access to the system. They should possess the ability to easily track or identify potential fraud or anomalies end-to-end.

Distributed Computing

This section deals with synchronization and remote services to web applications, by hardening applications against:

  • time of check, time of use race conditions
  • distributed synchronization issues
  • common multi-programming, multi-threaded and distributed security issues
Buffer Overflow

This section addresses issues such as:

  • Applications do not expose themselves to faulty components
  • Applications create as few buffer overflows as possible
  • Developers are encouraged to use languages and frameworks that are relatively immune to buffer overflows.
Administrative Interfaces

This section addresses issues such that:

  • Administrator level functions are appropriately segregated from user activity
  • Users cannot access or utilize administrator functionality
  • Provide necessary audit and traceability of administrative functionality
Cryptography

This section helps to ensures that cryptography is safely used to protect the confidentiality and integrity of sensitive user data

Configuration

This section is focused on creating secure web applications which are as well-built and secure out-of-the-box as possible.

Software Quality Assurance (QA)

According to the OWASP 3.0 guide, “The software quality assurance goal is to confirm the confidentiality and integrity of private user data is protected as the data is handled, stored, and transmitted. The QA testing should also confirm the application cannot be hacked, broken, commandeered, overloaded, or blocked by denial of service attacks, within acceptable risk levels. This implies that the acceptable risk levels and threat modeling scenarios are established up front, so the developers and QA engineers know what to expect and what to work towards.”

Deployment

This section deals with the issues surrounding secure deployment of web applications.

Maintenance

This section addresses issues such as:

  • Products are properly maintained post deployment
  • Minimize the attack surface area through out the production lifecycle
  • Security defects are fixed properly and in a timely fashion

Policy Review Date:

July 2012

Original Issue Date:

June 2008

Revision Dates:

July 2012
June 2008

Additional Information: