Professional Documents
Culture Documents
HomeBlog
By Ajay Yadav
February 23, 2015
Lead: Become proficient with security aspects before a web application goes live over the
Internet.
Web applications typically have been produced to perform virtually every useful function
we could possibly implement online, such as Banking, Online shopping, Social
Networking, Web mails, and Auctions. As with any new class of technology introduces,
web applications have brought a couple of new ranges of security vulnerabilities.
Sophisticated attacks have been conceived that were not considered when existing
applications were developed. New technologies have been developed that have
presented a variety of new possibilities for exploitation. High-profile compromises of this
kind continue to occur frequently.
The most critical attacks against web applications are those that uncover sensitive data or
gain unrestricted access to the back-end systems on which the application is running. By
some measure, web application security is today the most significant battleground
between attackers and those with computer resources and data to protect, and it is likely
to remain so for the foreseeable future. Web applications, typically, launch into the
production environment after employing numerous back-end technologies so that security
must be hardened indeed along with the Web API, to make a full-proof, secure
application.
However, developers would rather focus on developing attractive applications to meet the
end-user requirements and unfortunately avoid implementing essential security initiatives;
this leads web applications into havoc. Generally, it is not assumed that developers could
ensure comprehensive web framework protection due to the variety of implicit ingredients
working behinds the scene. Therefore, this paper unveils some of the security aspects in
terms of quick guidelines that can be confirmed before a web application goes live over
the Internet, to ease the undertaking of developer by means of ensuing protection to
some extent.
Website Design
1/8
The following guidelines will help you construct a website that is as safe as it is attractive.
Website design must be extensive, feasible, and viable by partitioning it into layers
so that each could handle presentation, logic, and database related manipulation
separately.
The website should be composed of restricted and public zones and you should
make sure navigation between these zones does not allow sensitive information to
flow.
Sensitive information belongs to websites, and it must be converted into encrypted
form.
Input validation should be performed by assimilating both client side and server side
validation rather than rely on client side validation expressly.
The production and database server should be placed into a secure DMZ and only
accessed by a privileged personal.
User and Web controls should be separated into individual assembly files.
The website contains both directories and files that should be authorized in granular
fashion.
Accurate exception handling mechanism should be ensured at each corresponding
website source code file.</>
A secure mechanism must be identified to handle sensitive information transmission
across the network.
Website Authentication
2/8
Confirm sensitive credentials are not stored in an XML file Severe ☐
in clear text.
Resource Authorization
Input Validation
3/8
Confirm the HttpOnly cookie option is applied to defend Severe ☐
from an XSS attack.
Parameters Handling
4/8
Confirm sensitive data does not reside in cookies, query Severe ☐
strings, and hidden forms fields.
Web Services
5/8
Confirm Page level exception handling is applied. Severe ☐
<processModel userName=”Machine”
password=”AutoGenerate” />
6/8
Privilege Management
Deployment
Final Note
This rare cheat sheet provides developers a quick snapshot about essential configuration
with concentrated guidance on building a secure web application. Website programmers
can reference this cheat sheet while applying security initiatives in quick movement rather
7/8
than dwell on detailed security settings. We have seen various significant ASP.NET
security configurations that could be beneficial for both developers and penetration
testers.
Ajay Yadav
More by Author
8/8