Web Application Security

The following is example of secure software controls that should be considered through the life cycle of a software development project. Depending on the type of organizations, some or all of these controls should be factored. Military organizations generally have stringent controls that need to be built in than civilian organizations. Security in the Systems Development Life Cycle Requirements Gathering Business Partner Engagement Identify Policies & Standards Identify Regulatory & Legal Requirements Identify Privacy Requirements Identify Compliance Requirements Develop C,I, A* Goals & Objectives Develop Procurement Requirements Perform Risk Assessment Design Use and Abuse Case Modeling Secure Design Review Secure Architecture Review Threat & Risk Modeling Generate Security Requirements Generate Security Test Cases Develop...

Never trust the user!  Validate all input coming from a user. This includes any part of an HTTP request that you're processing: the header names and values, the cookie names and values, the querysting parameters, web form values, and any other data included in the message body.  Always use whilelist input validation to test input; that is, test whether an input does match an expected good format and reject it if it doesn't. Avoid blacklist input validation; that is, testing whether an input matches an expected bad format and rejecting it if it does.  Never perform validation just on client side - an attacker can easily bypass these controls. Always validate on the server side.  Use regular expressions for more complicated validation logic like testing e-mail addresses. Unless you're a regex expert, also consider using regex from one of the public databases such as regexlib.com or a commercial regex ...