Even the most useful web application in the world would be essentially worthless without good security. To write good code requires one to write secure code. To write secure code requires one to make secure coding principles an integral part of each phase of the software development life cycle. Furthermore, a secure web application requires more than secure code, it requires that code reside on a secure host within a secure network. After all, vulnerabilities in any part of the system may allow attackers to compromise other areas of the system, even if they are secured in their own right. Defenders must defend all possible points of attack, while attackers will look for the weakest points to attack.
There are no cookie cutter approaches to security. Securing a web application requires a unique and comprehensive approach specific to that application. This article series is meant as an overview of important web application security concepts. Some of the most important security best practices are summarized below:
Reduce attack surface: Block unnecessary ports and disable any unnecessary services and accounts. Compartmentalize and use least privilege, thereby minimizing the attack surface and the available resources if a compartment is compromised.
Use layered gate keeping: Don’t just check at the first gate. Establish multiple layers of security, and plan your security assuming that one or more of these layers may be compromised.
Do not trust user input: Assume all user input is malicious. Always use input validation, especially when a security boundary is being crossed.
Fail gracefully and securely: When your application fails, don’t reveal information which could aid attackers.
Use threat modeling: Model the threats your application is likely to face before you ever begin coding.
Use secure code reviews: During development you should be regularly looking for insecure coding techniques and vulnerabilities. This will not only help secure your application, it will shore up your secure coding practices in general.
Remember, attackers have the advantage. Always be diligent in your attempts to secure your web application. As the defender you must secure all points, as the attacker may probe for the weakest point and attack it. Use threat modeling to understand what that link is and secure it. While defenders must focus on known attacks, attackers may probe for unknown vulnerabilities, so you must limit the ability of attackers to probe your system for such weaknesses. Secure the network, host and application. Never assume that a securely coded application will be safe on an insecure host or network
Below is a list of articles covering the topic of web application security: