Nov 17 2007
Web application security
Dear reader,
Are you, or your developers, familiar with the following terms: Cross Site Scripting (XSS), Injection Flaws, Malicious File Execution, Insecure Direct Object Reference, Cross Site Request Forgery (CSRF), Information Leakage and Improper Error Handling, Broken Authentication and Session Management, Insecure Cryptographic Storage, Insecure Communications, Failure to Restrict URL Access?
This is the top ten web application vulnerabilities list. Do not neglect any one of them. Traditionally, vulnerability analysis and management has been focused at the network or operating system level. Times are changing. We have to focus on the application level. One small mistake in a contact form may ruin your website and, much worse, your credibility. Writing secure applications was never an easy task. Writing web application is like walking on mine fields. Sometimes you have to see a possible intruder in every end-user.
When it comes to security, the defender has the hardest job. While an attacker is free to choose the target point, the defender must cover all the possibilities. This situation makes a complex system to be much more harder to secure.
This article is not intended to teach you how to secure your application. What we want is to make one thing clear: “You have to test your application and to make sure it has no security issues”. The quality assurance team must confirm that confidentiality and integrity of data is protected. The owner of an online business always needs to ask himself: “How secure my application is?”. How to find an answer to this question? This will make the subject of another article.
