The goal of application security:
To prevent unauthorized disclosure, alteration and destruction of data whenever it is stored,processed or transmitted.
Firewall and SSL doesn't prevent all.
9 key considerations:
Sensitive Data
Understand the data. If your application handles cardholder data, ensure Payment Card Industry requirements are met.
Limit the amount of sensitive data stored.
Authentication
authentication infrastructures.
Session Management
Use SSL to create a secure communication channel.Always protect sensitive session information with cryptography.
For web cookies, set the secure flag to TRUE.Set sensitive session cookies to avoid exposure through HTTP.
Ensure session tokens are not easy to guess.
Use HttpOnly to minimize exposure in the event of an XSS vulnerability.
Avoid setting or exposing sessions through GET and POST requests.
Implement logout functionality
Limit the lifetime of session tokens
Authorization
Apply the principle of least privilege(Who has access, Type of access, Duration of access)
Ensure default Access Control Lists(ACLs) don't give too much access.
Perform role checks before allowing access to operations that could reveal sensitive data.
Perform periodic reviews of authorization lists and permissions.
Input validation(sql injection, XSS, buffer overflow, JSON data, upload file)
Assume all input is malicious.
Perform data validation at input points as well as just before use in the processing component
Do not accept commands from the user unless you parse and validate
Be aware of special commands, characters and quoting
Check authorization before acting.
sql injection:
Parameterize database queries or use stored procedure calls if they're permitted.
Classic business logic checking(data type, length, range, content checking)
For legacy code where parameterize or sp calls aren't possible, sanitization can be considered.
XSS:
Never insert untrusted data into an open Javascript region or style element or tag element or HTML comment.
Use HTMLEncode and URLEncode or IVEncoder to encode output that includes user input.
buffer overflow:
validate the legth of data
Use the "safe" versions of libraries.
Some compilers and OS have feature to help.
JSON data:
Never pass to eval() function without confirm it is syntactically valid JSON.
Whenever possible, a JSON-specific function should be used.
upload file:
permit execution by file extensions or file permission settings.
Is a .JPG file really a valid JPEG file?
limit the size of a file
Tools:
WebInspect:ASTA
Fiddler: Users can view and manipulate both requests and responses
Parameter Manipulation
Use session identifiers to reference state stored on the server side rather than using hidden form fields
Protect hidden form fields using a technique like a cryptographic hash with a secret key known only on the server side, such as an HMAC.
Cryptography
Without proper key management, cryptography is useless.
Ensure information is protected as required by the cryptography policy.
Do not develop your own cryptography algorithms.
Auditing and logging
Do log key events such as transactions, login and logout events
Do log critical application operations
Do backup log files
Do inspect log files
Don't log session ID's
Don't log PII(Personally Identifiable Information)
Do not permit shared accounts
Exception handling
Use exception handling throughtout the code base.
Fail secure: sanitize sensitive data in all cases especially in failure situations.
Return generic, harmless error messages to the client.
Configuration Management
Ensure application patches are appropriately applied as these may not covered by HPIT.
Ensure the platform is hardened.
Minimize number of administration interfaces & limit administrative access
Use appropriate authentication & authorization before permitting cofiguration changes
Ensure logging includes configuration changes