In order to secure a web application, one must understand and model the many threats a web application faces. Only then can one accurately assess the potential vulnerabilities of the application and determine the best countermeasures and attack mitigation strategies. Furthermore, such threat modeling should take place during the application design phase, before any code is written. Since security tends to touch nearly every part of the application, threats identified during a code review tend to be more expensive to correct than threats identified in the design phase. That being said, code reviews during the development phase remain an essential part of security, and are still typically much more cost effective than fixing a security threat discovered in production code.

 

Some of the most common threats to web applications and their countermeasures are discussed in the section “Most Common Web Application Threats”. Below we’ll take a different approach by looking at some of the most common vulnerabilities which make those and a host of other threats possible.

Poor Input Validation: An application which doesn’t assume that its inputs are inherently insecure is vulnerable to attack. A secure web application always assumes that input requires validation prior to further processing. Lack of input validation leaves web applications vulnerable to attacks like SQL injection, cross site scripting, and buffer overflows.

 

Insecure Stack Tracing and Exception Handling: Does your web application fail both gracefully and securely? A secure web application does not send stack traces or exception details back to the client, where an attacker could use them to probe your system for vulnerabilities.

 

Unprotected Sensitive Data: How does the web application protect sensitive data? Is it encrypted when sent across networks? Is it protected when in memory or in persisted stores? Does it use tamper resistant protocols when appropriate? A secure web application should answer ‘yes’ to these questions.

Insecure Session Management: Can attackers hijack, replay or intercept your sessions? When a compromised session presents a security threat to an application, sessions should be encrypted. Requiring reauthorization prior to performing secure operations can increase security.

Poor Auditing and Logging: Logging critical areas of the application and auditing those logs, particularly any unusual activity, is an essential part of securing a web application.

 

Inadequate Authentication: If an application doesn’t know who a user is, how can the application be secure? Secure web applications require credentials to be provided to authenticate users of the application.

Inadequate Authorization: A secure application doesn’t stop at knowing who a user is, it must also determine what resources an authenticated user should have access to.

Poor Administration and Configuration Management: Configuration files and administrative interfaces should be protected by restricted ACLs and permissions. Additionally, over privileged services and accounts may be manipulated by an attacker.