GnuDeveloper.com

Web Applications Security Essentials

Web Applications Security Essentials

Security principles
1. Don’t trust input,Infrastructure
2. Defense in depth
3. Run with least privilege
4. Keep security simple (verifiable, economy of mechanism)
5. Separation of privilege , compartment
6. Secure the weakest link
7. Fail securely
8. Open design (Avoid security by obscurity )
9. Psychological acceptability

1. Don’t trust client input,Infrastructure

The understanding of communication between the trusted & untrusted zone
is important

Untrusted zone
By assuming all the data or input from client can be exposed to
vulnerable data. Hence we need to properly handle the data as below
steps.
1.Validation
Two types of validation are Whitelist and Blacklist.
Whitelist (Positive security model) :
Allowing only known good characters in the input.
Blacklist:
Remove the special or vulnerable characters in the input.
a. client side (optional)
b. server side (mandatory)
2. Sanitize (cleanup ) the input
3. All the output data should be encoded
Trusted zone
The communication is between internal network as application server communication wiht external system. This can be done even mutual authentication for defense in depth

2.Defense in depth

Sandbox
when we have data from the untrusted boundary(browser) to trusted code(service layer).
The sandboxes will be worth the additional execution cost,time.
The ways to prevent of Cross-site scripting (XSS)
Content Security Policy
OWASP AntiSamy Project

3. Run with least privilege

Sandbox
Provide access to only the necessary resources,permissions which the application is required to work properly.
The java Security manager also is good example for it.

4. Keep security simple:

Software complexity
The system design or source code should be easily understandable.
The System complexity is directly proportional to the testability.
If the system is complex then testing also will be complex then bug is hidden in it implicitly. The security issue is also part of hidden bug.
Source code complexity:
The source code complexity is measured by the Cyclomatic complexity.
The complexity of code grows as the Line of Code(LOC) grows.
when the Cyclomatic complexity score for a method is more then it needs to be refactored.
Hence the SOLID principle , Design pattern helps to reduce the code complexity.
The open/closed principle (OCP) applied by using the design pattern helps to reduce code Complexity as Template Pattern, Factory Method Pattern and Chain of Responsibility.

Code Complete by Steven C. McConnell says as defects change with size means defects increase wiht code base size

The linux source code proves it as below

7. Fail securely

Entitlements or Permission
we have to make our system to behave safe on any failure condition.
Always set the default value as deny access to all Entitlement.
Generally all the Entitlement values will be present in external system like LDAP server.
On fetching the user Entitlements from external system some exception like socket timeout may happened in that time the system should not expose any sensitive information to hackers.

public HashMap<String, Boolean> getUserEntitlements(String username) {
 
	HashMap<String, Boolean> result = null;
	HashMap<String, Boolean> userEntitlements = new HashMap<String, Boolean>();
 
	// By default set value to deny or no permission
	userEntitlements.put("USER_CREATE", false);
	userEntitlements.put("USER_UPDATE", false);
	userEntitlements.put("USER_DELETE", false);
 
	try {
		result = getUserAccessFromLDAP(username);
		if (result != null) {
			userEntitlements = result;
		}
	} catch (IOException ex) { /* log statement */
	}
 
	return userEntitlements;
 
}

Psychological acceptability

Applying the security control should consider the usability, performance.

Usability:
When Applying security control need to consider the usability issues.
The system may be little difficult on applying some security control example as applying password policy but more difficult the system more unusable by the user.

The password policy:
Password should have minimum 8 characters.
Minimum one special characters as !,@,#,$,%,&
Minimum should have both upper-case and lower-case letters

Performance:
The Security control should not reduce the Application performance
Groups: