Application security 10 Commandments
Many people ask "what should I do to implement Application Security?"
Well, it is not so simple but if you want to make a long story short you should do the following:
- Create a threat modeling document.
- Make sure you take care of the following issues:
· Input Validation
o Map all your inputs and make sure all inputs coming from an untrusted source are properly validated.
o Users are properly authenticated, and the authentication ticket is properly handled.
o The right to perform an action is given to the correct user. Authorization is handled with a secure technology.
· Configuration Management
o Configuration information is well secured as it is holding super sensitive data.
· Sensitive Data
o Define which data is sensitive in the application context.
· Session Management
o Make sure the session data is well protected.
o Use the correct cryptographic algorithm. Use cryptography only when needed.
· Parameter Manipulation
o Parameters which the application uses and transfers between modules and UI are properly secured.
· Exception Management
o Exception information are properly sanitized and logged.
· Auditing and Logging
o Information about the application runtime state is logged to enable monitoring. Proper tools are supplied to enable querying this info.
- Perform security testing.
- Make sure your product is properly deployed.
- Communicate security issues with your customers.