I am looking for easy steps that are simple and effective in making a web application more secure.
What are your top tips for secure web applications, and what kind of attack will they stop?
+3
A:
- Escape user provided content to avoid XSS attacks.
- Using paremeterised SQL or stored procedures to avoid SQL Injections attacks.
- Running the webserver as an unprivilaged account to minimise attackes on the OS.
- Setting the webserver directories to an unprivilaged account, again, to minimise attackes on the OS.
- Setting up unprivilaged accounts on the SQL server and using them for the application to minimise attacks on the DB.
For more in depth information, there is always the OWASP Guide to Building Secure Web Applications and Web Services
Oded
2008-09-06 08:23:10
+8
A:
Microsoft Technet has en excellent article:
Ten Tips for Designing, Building, and Deploying More Secure Web Applications
Here are the topics for the tips answered in that article:
- Never Directly Trust User Input
- Services Should Have Neither System nor Administrator Access
- Follow SQL Server Best Practices
- Protect the Assets
- Include Auditing, Logging, and Reporting Features
- Analyze the Source Code
- Deploy Components Using Defense in Depth
- Turn Off In-Depth Error Messages for End Users
- Know the 10 Laws of Security Administration
- Have a Security Incident Response Plan
Espo
2008-09-06 08:23:56
I especially love tip no. 10! Admittedly, never have thought about it before.
kRON
2010-10-15 18:16:26
+6
A:
Do not trust user input.
Validation of expected data types and formatting is essential to avaoiding SQL injection and Cross-Site Scripting (XSS) attacks.
Andy Rose
2008-09-06 08:31:17
+4
A:
Related stack overflow question:
Checklist for Web Site Programming Vunerabilities
http://stackoverflow.com/questions/28965/checklist-for-web-site-programming-vunerabilities
Jeff Atwood
2008-09-06 09:23:09
A:
Set the secure flag on cookies for SSL applications. Otherwise there is always a highjacking attack that is much easier to conduct than breaking the crypto. This is the essence of CVE-2002-1152.
Purfideas
2008-09-06 13:49:56
A:
Some of my favourites:
- Filter Input, Escape Output to help guard against XSS or SQL injection attacks
- Use prepared statements for database queries (SQL injection attacks)
- Disable unused user accounts on your server to prevent brute force password attacks
- Remove Apache version info from HTTP header (ServerSignature=Off, ServerTokens=ProductOnly)
- Run your web server in a chroot jail to limit damage if compromised
Andrew Whitehouse
2008-09-06 15:42:42
A:
OWASP is your friend. Their Top Ten List of web application security vulnerabilities includes a description of each problem and how to defend against it. The site is a good resource for learning more about web application security and is a wealth of tools and and testing techniques as well.
Markc
2008-09-16 02:14:06