Security Checklist for Web Applications

My security checklist is nothing new and it is a compilation of well known threats. What's new however is how I categorize them. The categorization helps with project management, either in my head or for the team.

Threats from Malicious End Users

• URL and URL parameter tampering, hidden field and LOV id manipulation
• Cross site scripting, command insertion, cookie poisoning (session id guessing)
• Buffer overflows, format string attacks, SQL injection (these are unlikely in modern languages and frameworks)

Never trust anything coming from the client as HTTP requests. Always:

• Validate user input for malicious inputs
• HTML-encode data to be displayed on the browser
• Avoid client-side caching of sensitive data

Threats from Malicious Employees

• Access to sensitive data, account and password information
• Ability destroy or modify application data and configurations

Secure storage is key to protect against employees. A few methods are:

• Sensitive data encryption, encryption key storage, encryption algorithm choice
• Security provided by off-the shelf software, for example, Oracle Database Vault
• No caching of unencrypted sensitive data, no logging of sensitive data

Threats from Malicious Man-in-the-Middle

• Unencrypted data visible during transmission, cookie stealing
• Replay attacks

How to prevent:

• Transmission over SSL for sensitive data
• Encryption with shared secret, digital signature as proof of authenticity of document
• Nonce to prevent replay attacks

Threats from Malicious Strangers

• Denial of service (DOS) attacks, flooding

How to prevent:

• Throttling, blacklist IP addresses
• Firewalls, virtual private networks (when possible)
• CAPTCHA, limit resource per user

There are checklist items related to authentication and authorization; will be discussed in the next post.