Introduction

The applications that run on the internet are vitally important to us, we want to feel assured that these applications are secure, but more often than not, best security practices are not used during their design and implementation. Below are some good tips to mitigate against common security flaws which exist in many current enterprise web applications.

Build Security Into The Development Process

Security needs to be promoted to become part of the development stage of software engineering. Security should not be ignored until the product is being tested. Many people don’t include security features in lists of user requirements, a practice which leads to insecure code and ultimately insecure systems.

Consider introducing the following practices into your development process:

• Create security use cases when gathering requirements.
• Create a secure coding guideline. This guide will describe how to securely write the common coding scenarios that occur within your organisation.
• Run code reviews with a focus on security. Move security reviews out of testing and into development.
• Introduce static analyis tools into your build process to identify common security coding errors.

Keep Security Code Simple

One of the tenets of writing good code is that the code should be easy to read and understand. . This principle is even more important where security is concerned. If your security code is too difficult to understand, then consider wrapping it in a higher level security API which can be used through out your organisation. Using a simpler API will also facilitate code reviews and the use of static analysis tools.

Validate and Encode

In internet applications, only trust as a last resort. Protect your assets at every layer of your architecture, from your web server to your business objects to your database. Defend yourself at every opportunity. Access restrictions should be placed on certain URLs. Validate and encode data whenever data crosses system security boundaries, e.g. validate user input and then prevent injection attacks by encoding this input for secure use with LDAP .“Defence in depth” is a good policy to have here.

Fail, Log and Recover Securely

Define a high level set of security exception classes which can be used by all developers in your organisation. Using these classes all of your applications can have a common policy for dealing with e.g. authentication failures, validation failures, authorisation failures and intrusion detection. Classes can be designed to log all required information and to display informative yet secure information to users. Log access control decisions, input validation failures and analyse logs to identify attacks on your system.

No Private Data in URLs

Don’t expose internal object references to the external world, e.g. a database keys, file names etc. Implement an access reference map which will translate an indirect public reference to a direct private reference.

Secure Session Management

A new session identifier should be generated for every logon. Reusing session identifier introduces a security hole where an attacker can impersonate an already logged on authenticated user.

Handle Authentication and Identity

Some things you need to do here are :

• Verify site log on password strength.
• Verify account name strength.
• It is important that the logged on user Id is always available, consider using a thread local variable for this.

Handle Access Control

When a user successfully logs on to a site he should be told the time of his last successful login. A security token should be created and inserted in the user object associated with this session. This security token will be used to provide access to every link and form in your web application. Doing this will protect you from Cross Site Request Forgery (CSRF) attacks. An authorisation check could be run before a user accesses a certain URL, a certain function, a certain form or certain data.

Protect Against Cross Site Scripting (XSS)

XSS is the number one security concern of web enabled applications. This attack manifests itself in malicious data being received over the net and placed on a user’s browser. The attacker has manipulated the data that is downloaded from a given web site, and tricks web users of this compromised site into running a program of the attacker’s choosing, e.g. sending a user cookie id back to the attacker.

It is imperative that your web server should : explicitly set character set encoding for each page generated by the web server, validate and sanitize all user input, encode dynamic output elements.