[size=x-large]The goal of application security: [/size]
To prevent unauthorized [color=red]disclosure, alteration and destruction [/color]of data whenever it is [color=red]stored,processed or transmitted[/color].
Firewall and SSL doesn't prevent all.
[size=x-large]9 key considerations:[/size]
[size=large]Sensitive Data [/size]
Understand the data. If your application handles cardholder data, ensure Payment Card Industry requirements are met.
Limit the amount of sensitive data stored.
[size=large]Authentication [/size]
authentication infrastructures.
[size=large]Session Management [/size]
Use SSL to create a secure communication channel.Always protect sensitive session information with cryptography.
For web cookies, set the secure flag to TRUE.Set sensitive session cookies to avoid exposure through HTTP.
Ensure session tokens are not easy to guess.
Use HttpOnly to minimize exposure in the event of an XSS vulnerability.
Avoid setting or exposing sessions through GET and POST requests.
Implement logout functionality
Limit the lifetime of session tokens
[size=large]Authorization [/size]
Apply the principle of least privilege(Who has access, Type of access, Duration of access)
Ensure default Access Control Lists(ACLs) don't give too much access.
Perform role checks before allowing access to operations that could reveal sensitive data.
Perform periodic reviews of authorization lists and permissions.
[size=large]Input validation[/size](sql injection, XSS, buffer overflow, JSON data, upload file)
Assume all input is malicious.
Perform data validation at input points as well as just before use in the processing component
Do not accept commands from the user unless you parse and validate
Be aware of special commands, characters and quoting
Check authorization before acting.
[size=medium]sql injection: [/size]
Parameterize database queries or use stored procedure calls if they're permitted.
Classic business logic checking(data type, length, range, content checking)
For legacy code where parameterize or sp calls aren't possible, sanitization can be considered.
[size=medium]XSS:[/size]
Never insert untrusted data into an open Javascript region or style element or tag element or HTML comment.
Use HTMLEncode and URLEncode or IVEncoder to encode output that includes user input.
[size=medium]buffer overflow: [/size]
validate the legth of data
Use the "safe" versions of libraries.
Some compilers and OS have feature to help.
[size=medium]JSON data: [/size]
Never pass to eval() function without confirm it is syntactically valid JSON.
Whenever possible, a JSON-specific function should be used.
[size=medium]upload file: [/size]
permit execution by file extensions or file permission settings.
Is a .JPG file really a valid JPEG file?
limit the size of a file
[size=medium]Tools: [/size]
WebInspect:ASTA
Fiddler: Users can view and manipulate both requests and responses
[size=large]Parameter Manipulation [/size]
Use session identifiers to reference state stored on the server side rather than using hidden form fields
Protect hidden form fields using a technique like a cryptographic hash with a secret key known only on the server side, such as an HMAC.
[size=large]Cryptography [/size]
Without proper key management, cryptography is useless.
Ensure information is protected as required by the cryptography policy.
Do not develop your own cryptography algorithms.
[size=large]Auditing and logging [/size]
Do log key events such as transactions, login and logout events
Do log critical application operations
Do backup log files
Do inspect log files
Don't log session ID's
Don't log PII(Personally Identifiable Information)
Do not permit shared accounts
[size=large]Exception handling [/size]
Use exception handling throughtout the code base.
Fail secure: sanitize sensitive data in all cases especially in failure situations.
Return generic, harmless error messages to the client.
[size=large]Configuration Management [/size]
Ensure application patches are appropriately applied as these may not covered by HPIT.
Ensure the platform is hardened.
Minimize number of administration interfaces & limit administrative access
Use appropriate authentication & authorization before permitting cofiguration changes
Ensure logging includes configuration changes
To prevent unauthorized [color=red]disclosure, alteration and destruction [/color]of data whenever it is [color=red]stored,processed or transmitted[/color].
Firewall and SSL doesn't prevent all.
[size=x-large]9 key considerations:[/size]
[size=large]Sensitive Data [/size]
Understand the data. If your application handles cardholder data, ensure Payment Card Industry requirements are met.
Limit the amount of sensitive data stored.
[size=large]Authentication [/size]
authentication infrastructures.
[size=large]Session Management [/size]
Use SSL to create a secure communication channel.Always protect sensitive session information with cryptography.
For web cookies, set the secure flag to TRUE.Set sensitive session cookies to avoid exposure through HTTP.
Ensure session tokens are not easy to guess.
Use HttpOnly to minimize exposure in the event of an XSS vulnerability.
Avoid setting or exposing sessions through GET and POST requests.
Implement logout functionality
Limit the lifetime of session tokens
[size=large]Authorization [/size]
Apply the principle of least privilege(Who has access, Type of access, Duration of access)
Ensure default Access Control Lists(ACLs) don't give too much access.
Perform role checks before allowing access to operations that could reveal sensitive data.
Perform periodic reviews of authorization lists and permissions.
[size=large]Input validation[/size](sql injection, XSS, buffer overflow, JSON data, upload file)
Assume all input is malicious.
Perform data validation at input points as well as just before use in the processing component
Do not accept commands from the user unless you parse and validate
Be aware of special commands, characters and quoting
Check authorization before acting.
[size=medium]sql injection: [/size]
Parameterize database queries or use stored procedure calls if they're permitted.
Classic business logic checking(data type, length, range, content checking)
For legacy code where parameterize or sp calls aren't possible, sanitization can be considered.
[size=medium]XSS:[/size]
Never insert untrusted data into an open Javascript region or style element or tag element or HTML comment.
Use HTMLEncode and URLEncode or IVEncoder to encode output that includes user input.
[size=medium]buffer overflow: [/size]
validate the legth of data
Use the "safe" versions of libraries.
Some compilers and OS have feature to help.
[size=medium]JSON data: [/size]
Never pass to eval() function without confirm it is syntactically valid JSON.
Whenever possible, a JSON-specific function should be used.
[size=medium]upload file: [/size]
permit execution by file extensions or file permission settings.
Is a .JPG file really a valid JPEG file?
limit the size of a file
[size=medium]Tools: [/size]
WebInspect:ASTA
Fiddler: Users can view and manipulate both requests and responses
[size=large]Parameter Manipulation [/size]
Use session identifiers to reference state stored on the server side rather than using hidden form fields
Protect hidden form fields using a technique like a cryptographic hash with a secret key known only on the server side, such as an HMAC.
[size=large]Cryptography [/size]
Without proper key management, cryptography is useless.
Ensure information is protected as required by the cryptography policy.
Do not develop your own cryptography algorithms.
[size=large]Auditing and logging [/size]
Do log key events such as transactions, login and logout events
Do log critical application operations
Do backup log files
Do inspect log files
Don't log session ID's
Don't log PII(Personally Identifiable Information)
Do not permit shared accounts
[size=large]Exception handling [/size]
Use exception handling throughtout the code base.
Fail secure: sanitize sensitive data in all cases especially in failure situations.
Return generic, harmless error messages to the client.
[size=large]Configuration Management [/size]
Ensure application patches are appropriately applied as these may not covered by HPIT.
Ensure the platform is hardened.
Minimize number of administration interfaces & limit administrative access
Use appropriate authentication & authorization before permitting cofiguration changes
Ensure logging includes configuration changes
扫一扫
1438
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
