Web Application Security

Web Application Security

As number of Internet Users are increasing day-by-day, companies are also providing more online facilities to the customers and along with these online facilities, risk  of information sensitivity is also increasing, which is passed on the Internet. As we always hear about the threats related to online ids/passwords, hacking of personal, official and Government sites, Viruses and stealing of business or financial information.

With ever-increasing amount of threats faced by Web Applications, focus should be on strengthening the Risk management practices by implementing effective processes from time to time rather than spending hefty amounts on technology alone.

So for a secure Web application, we should consider the following processes -

Input Validations
All input data should be validated.
Attackers inject commands or malicious data into our application so it should be secured.
Data in the database should be trusted.

Authentication
All credentials should be secured if they are passed over the network.
Strong account policies should be used.
Strong password should be enforced.
We should use certificates.

Authorization
Authorization should be enforced at the database.
Only after successful confirmation of credentials, application should allow the access.

Configuration Management
Should use secure administration interface for the application support.
Remote administration should be secured.
Configuration stores should be secured.

Sensitive Data
Sensitive data should be handled by the application.
It should be secured over the network.
Encryption should be used and it should be secured.

Session Management
Session cookies should be secured to prevent session hijacking.
Persistent session state should be secured.
Session state should be secured as it crosses the network.
Credentials passed over the network should be secured.
Credentials maintained by the application should be secured.

Parameter Manipulation
All parameters should be validated in the HTTP headers, Cookies data and in the fields of the Forms.

Exception Management
Application should be properly handled in error conditions.
Generic error messages should be used such that they do not contain vulnerable information.

Auditing and Logging
Auditing should be done across all servers.
Log files should be secured.

These are some of the processes that we can follow to decrease the risk and to secure the Web Application.

Some freeware tools are available on the Internet for testing security like TemperIE.

TemperIE allows tampering with HTTP requests and We can use this freeware tool specially for testing the Cross-site Scripting, SQL Injection and Buffer-overflows vulnerabilities.

So while considering the Quality Standards for a Web Application, we should consider the Security as one of the major quality concern.