Web applications are huge nowadays. While making desktop applications is still big business, it is more likely that software will be developed to be used within a web browser. Web development comprises a number of different technologies, often requiring different skill sets to create. Back-end programmers rarely deal with the front-end HTML, database admins are responsible for their little section of the system, and so on. It is a rare individual who can do all of these things (especially do them well); while one or two people can make a SOHO application, especially if it is self-hosted, anything that is going to handle a large number of clients will have to have teams of people working on them.
Obviously, with all these people, ensuring security in the design is paramount (or it should be). If any one part of the application is insecure, the entire system if vulnerable. Each person has to ensure that they think about security when they are doing their part.
Though the site is outdated, Microsoft has a good page of web development topics. It lists 10 vulnerabilities that occur in web apps due to bad design. While I won’t go into detail about all of these, I’ll touch on some of the more significant areas.
1. Input validation
4. Configuration Management
5. Sensitive Data
6. Session Management
8. Parameter Manipulation
9. Exception Management
10. Auditing and Logging
I’ve talked about input validation before but I’ll talk on it again. Input validation is the front-line in secure programming. If the attacker can’t get through the front door, hopefully he’ll move on to an easier target. Input validation attempts to block cross-site scripting, SQL injections, buffer overflows, and other, related attacks.
If you assume that all input from an external source has a malicious intent, it will help your mindset when it comes to defensive programming. Develop a central repository of validation and filtering code that can be used by other programs; this ensures that the same code is being used throughout all projects. This makes it easy to patch or upgrade while ensuring consistency among programs.
As part of input validation, you need to accept known good data (based on type, length, format, and range), reject known bad data, and sanitize what’s left. Sanitizing includes stripping extraneous characters (like spaces or null characters), escaping out values to create literal text, and encoding URLs or HTML to make literal text rather than executable scripts.
When working with data over a network, assume that it will be intercepted. How would you deal with this? If you are sending data such as passwords and user names unencrypted, it’s only a matter of time before they are captured and used to break into your system. Therefore, use a secure transmission channel, like SSH or TLS/SSL, instead of unsecure protocols like TFTP or Telnet.
If you have a database of valuable information, like credit card data, addresses, etc., make sure the database is encrypted with a good encryption scheme. When storing passwords, don’t store in plain text; use a strong hashing algorithm and salt the passwords first.
Again, if the programming language you’re using has built-in libraries that will do what you want, use them. Don’t make your own and don’t rely on an unknown third-party’s library, as you’ll only create new vectors for attack.