6 Simple steps to secure your Web Application

How to pass security tests for customers like Banks?

One of KCS customers is a big commercial bank. When bank valuating your product or any other one, IT Security issues taking the first priority. I think, only the customers from defense industry prioritizing the Security issues so high. This post will describe the interesting parts of the process I passed and the technological tips for anybody who preparing to come over the same process.

Usually banks and other enterprise customers use outsourcing services to test product security risks. Commonly Security tests include interviews, simulation of attacks and penetration tests on follow tiers

• Computers
• Communication
• Installations
• Applications to pinpoint vulnerabilities

So let's start with few steps to secure your Web Application.

Step - 1 - Daily Programming rules

• Always validate user input it is necessary to isolate your system from attacks like SQL Injection, XSS, Buffer overflow, etc.
• Don't store any passwords and user names on disk or in memory in plain text.
• Don't keep any secured information in your code; it can be easy stolen by reverse engineering.
• Do not write any business information to server file system, only to the database.
• Don't hold security sensitive information in IIS Session or cache.
• Do not use ActiveX controls, if it possible.

Step 2 - Web Server Session Management

• Set your IIS session time out to 30 minutes
• Add "Sign Out" button on each web page. When user will click on this button IIS Session will be closed.
• Close IIS session on web browser close event.
• Close IIS Session when user navigates to other web site by handling Page Upload event is it possible.

Step 3 - IIS & Web Site configuration

• Uncheck anonymous access checkbox on your web site. This recommendation relevant for enterprise software and not for public web sites.
• Use .NET DPAPI library to encrypt Connection String to database, it is very important; don't write an encryption key in code, to defense your system from Reverse Engineering. Store the key into the Registry.

Step 4 - Web Browser Settings

• Disable browser automatic Caching and History functionality. This allows to unauthorized user search business content in Temp directory on client PC. Do it by using HTTP Meta tags:
  <META HTTP-Equiv = "Expires" Content = "now"<
  <META HTTP-Equiv = "Pragma" Content = "no-cache">
• Disable automatic AutoComplete browser functionality. Do it using HTTP Meta tags:
  <FORM AUTOCOMPLETE = "off">

Step 5 - Authentication

• Use strong authentication on any connection between system modules.
• Use only Windows Authentication when you establishing connection to the database server.

Step 6 - Networking Protocols

• Use SSL V3 protocol for Client Server communication.
• If Web Application calls to methods in Web Service, use WSE 3.0 to secure the SOAP protocol.

So good luck! And keep free to ask me how to implement any step in this short manual.