Documents

A Security Checklist for Web Application Design

Description
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. A Security Checklist for Web Application Design Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to
Categories
Published
of 19
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  Interested in learningmore about security? SANS InstituteInfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. A Security Checklist for Web Application Design Web applications are very enticing to corporations. They provide quick access to corporate resources;user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons webapplications can be a serious security risk to the corporation. Unauthorized users can find the same benefits: quick access, userfriendly, and effortless access to corporate data. This paper is written forInformation Technology professionals who are not programmers and may not be aware of the specific problemsp... Copyright SANS InstituteAuthor Retains Full Rights       A      D     ©     S   A    N    S     I   n   s   t    i   t   u   t  e     2    0    0   4 ,     A   u   t    h  o   r    r  e   t   a    i   n   s     f   u    l    l    r    i  g      h   t   s . Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  © SANS Institute 2004,As part of the Information Security Reading RoomAuthor retains full rights.   A Security Checklist for Web Application Design Gail Zemanek BayseGIAC Security Essential Certification (GSEC)Practical Assignment, Version 1.4b     ©     S   A    N    S     I   n   s   t    i   t   u   t  e     2    0    0   4 ,     A   u   t    h  o   r    r  e   t   a    i   n   s     f   u    l    l    r    i  g      h   t   s . Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  © SANS Institute 2004,As part of the Information Security Reading RoomAuthor retains full rights.   i  Abstract Web applications are very enticing to corporations. They provide quick access tocorporate resources; user-friendly interfaces, and deployment to remote users iseffortless. For the very same reasons web applications can be a serious security risk tothe corporation. Unauthorized users can find the same benefits: “quick access,” “user-friendly,” and “effortless” access to corporate data.This paper is written for Information Technology professionals who are notprogrammers and may not be aware of the specific problems presented when using anexternally facing web application to attach to a mission critical database. The contentprovides a description of the security challenges introduced by externally facing webapplications. It provides the knowledge necessary to articulate to developers thesecurity requirements for a specific web application, to make contractual the obligationof the developer to build an application that is secure, and to assure that appropriatetesting is completed prior to moving to a production environment. The document isstructured as a checklist of challenges. For each challenge there are specificcheckpoints that delineate the security concern. The checklist provides a basis for securing web applications and the databases they connect to from malicious andunintentional abuse. Checklist  Risk Assessment  Authentication  Authorization and Access Control  Session Management  Data and InPut Validation  Cross Site Scripting (XSS)  Command Injection Flaws  Buffer Overflows  Error Handling  Logging  Remote Administration  Web Application and Server Configuration     ©     S   A    N    S     I   n   s   t    i   t   u   t  e     2    0    0   4 ,     A   u   t    h  o   r    r  e   t   a    i   n   s     f   u    l    l    r    i  g      h   t   s . Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46  © SANS Institute 2004,As part of the Information Security Reading RoomAuthor retains full rights.   1 Risk Assessment Challenge:Not all applications used in a secured Local Area Network (LAN) present additionalsecurity risk. It is important to match the security requirements with the risk imposed bythe new application. An application that is used by employees solely from within theLAN and streamlines tasks already part of their functional role may require no additionalsecurity. However, an externally facing web application used by remote employees,consultants or vendors, attaching to a mission critical database poses a very differentset of concerns. Every data asset must be examined and its confidentiality, criticalityand vulnerability assessed. It is crucial to develop security procedures that areappropriate to each asset’s criticality and vulnerability. “Security is almost always anoverhead, either in cost or performance.” 1 Therefore, the goal is to match the level of security with the assessed risk to assure that latency caused by security and the dollar amount spent securing an application are realistic and acceptable. An application determined to be of risk to mission critical data will require a thoroughsecurity component during its’ design phase, in development and implementation, andinto maintenance. Use the following questions as checkpoints to determine the level of risk posed and the requisite security layers to be added.Checkpoints: ã Which applications are affected by the requested change? ã Who are the users? Where are the users physically located? ã Will the application attach to mission critical applications? Will it modify anyconfidential or critical data? ã Where should additional user authentication be built into the application? ã Where will the application be physically located in the network? In the DMZ, theinternal network? Will it be installed on new equipment or share an existingserver? Will it coexist well with existing applications? ã Will any data considered sensitive or confidential be transmitted over externalcommunication links? ã If the system was compromised would it result in financial loss or the loss of reputation? Can you place a dollar amount on any loss? ã What is the history of the OS platform with respect to security? ã What would motivate someone to break into the application? ã Will the application have high external visibility, making it an obvious target toattackers? Authentication Challenge:
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks