tags:

views:

229

answers:

2
+3  Q: 

Examples of well designed and secure web applications

Most people would be aware of OWASP WebGoat or Foundstone's Hacme Books and Hacme Bank. These are deliberately insecure applications to teach beginners about common security vulnerabilities.

On the contrary I have not been able to locate any application that is intentionally secure. Granted that no such application is completely secure, but are there any applications that would implement a collection of best practices that most other applications should follow ?

PS: To clarify my needs, I'm looking for a 'secure equivalent' of Webgoat, or even better, a secure Pet Store application. Design tradeoffs for security, that are discussed in a paper/website/blog would be a bonus.

PPS: This is now community-wiki, especially since there can/could be several right answers - this is not language specific.

+1  A: 

The OWASP Guide contains this information.

Noon Silk  2009-08-20 00:16:22
Agreed. But I'm looking for application source code that can be studied. People make mistakes interpreting information :)
Vineet Reynolds  2009-08-20 00:19:07
Or for that matter, not all security attributes can be incorporated into an application. I'm equally interested in the trade offs that have been taken during implementation.
Vineet Reynolds  2009-08-20 00:20:42
Fair enough; I suppose no one has yet been brave enough to say 'here is the ultimate secure bank app' :) Maybe suggest it, work on it as an OWASP project. It's an arguably interesting idea.
Noon Silk  2009-08-20 00:37:22
My knowledge of cryptography is nil, but IMHO, 'secure' is a relative term... What is secure today may not be secure tomorrow, brute-force attacks may break whatever was deemed secure in earlier years. The same applies to algorithms e.g the weakness uncovered in the ENIGMA
Everyone  2009-08-20 06:39:40
A: 

I think a more interesting question is "can you show me a code that can securely do X and Y" - reusable snippets of secure code that take some input and produce security-validated output.

Konrads  2009-12-23 13:24:03
Thanks for the response. The reason why the question is for a complete app as opposed to snippets of code, is more so because during construction of an app, one might regard a particular snippet of code to be more secure than others in certain contexts.For instance, some applications (desktop ones) built in Java would store and manage passwords using byte arrays only (more secure than Strings which are almost always found in web apps). Any secure Java web app would have to live with that vulnerability. A snippet of code often does not expose this.
Vineet Reynolds  2009-12-27 22:52:21

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security