Application security 10 Commandments

Application security 10 Commandments

Many people ask "what should I do to implement Application Security?"

Well, it is not so simple but if you want to make a long story short you should do the following:

1. Create a threat modeling document.  
2. Make sure you take care of the following issues:  

·         Input Validation

o   Map all your inputs and make sure all inputs coming from an untrusted source are properly validated.

·         Authentication

o   Users are properly authenticated, and the authentication ticket is properly handled.

·         Authorization

o   The right to perform an action is given to the correct user. Authorization is handled with a secure technology.

·         Configuration Management

o   Configuration information is well secured as it is holding super sensitive data.

·         Sensitive Data

o   Define which data  is sensitive in the application context.

·         Session Management

o   Make sure the session data is well protected.

·         Cryptography

o   Use the correct cryptographic algorithm. Use cryptography only when needed.

·         Parameter Manipulation

o   Parameters which the application uses and transfers between modules and UI are properly secured.

·         Exception Management

o   Exception information are properly sanitized and logged.

·         Auditing and Logging

o   Information about the application runtime state is logged to enable monitoring. Proper tools are supplied to enable querying this info.

1. Perform security testing.
   
2. Make sure your product is properly deployed.
   
3. Communicate security issues with your customers.

manu