Secure Web application development
The NUIT Guide to Securing Web Applications was developed as a resource for web application developers, testers, and the Information and Systems Security/Compliance (ISS/C) department. In particular, the guide is meant to:
- Provide sound application development guidance for application developers so that web applications may be designed with security in mind.
- Provide guidance for application developers on testing existing web applications for security vulnerabilities (such as buffer overflows, cross site scripting, etc.).
- Encourage developers to obtain secure coding education/instruction.
- Provide guidance for ISS/C personnel on testing web applications for security vulnerabilities.
Secure Web Applications and Coding
Secure coding is the practice of writing code for systems, applications and web pages in such a way as to ensure the confidentiality, integrity and accessibility of data and information related to those systems. Programmers fluent in secure coding practices can avoid common security flaws in programming languages and follow best practices to help avoid the increasing number of targeted attacks that focus on application vulnerabilities.
Secure coding practices, in conjunction with pre-production and ongoing testing via ISS/C’s Information Security Vulnerability and Web Application Assessment Programs, help to ensure that applications are developed and maintained with a minimum exposure to known security vulnerabilities. When secure coding practice is applied throughout the development life cycle, the benefits can be: minimal impact to project implementation dates and schedules; reduced exposure to compromise; and overall improvements to risk management.
Developers should utilize the “OWASP Top Ten” list to guide their secure coding efforts. The OWASP Top Ten details the most common web application security vulnerabilities, including basic methods to protect against these vulnerabilities.
For web application assessment, ISS/C uses WebInspect, an automated Web application and Web services vulnerability assessment tool that is specifically designed to assess potential security flaws and to provide all the information needed to fix them. As an assessment is initiated, WebInspect assigns "assessment agents" that dynamically catalog all areas of a Web application. As these agents complete the assessment, findings are reported to a main security engine that analyzes the results.
WebInspect then launches audit engines to evaluate the gathered information and apply attack algorithms to locate vulnerabilities and determine their severity. Manual assessment using WebInspect is also possible for in-depth testing. Reporting is provided in the mail GUI console and as stand alone reports in numerous formats.
These references provide general guidance to the technologies addressed in these sections and the specific recommendations contained therein.