Securing Your Application

Previous page
Table of content
Next page

The guide defines a set of application vulnerability categories to help you design and build secure Web applications and evaluate the security of existing applications. These are common categories that span multiple technologies and components in a layered architecture. These categories are the focus for discussion through the designing, building, and security assessment chapters in this guide.

Table 2: Application Vulnerability Categories

Category

Description

Input Validation

How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing.

Authentication

Who are you? Authentication is the process that an entity uses to identify another entity, typically through credentials such as a user name and password.

Authorization

What can you do? Authorization is the process that an application uses to control access to resources and operations.

Configuration Management

Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.

Sensitive Data

Sensitive data is information that must be protected either in memory, over the wire, or in persistent stores. Your application must have a process for handling sensitive data.

Session Management

A session refers to a series of related interactions between a user and your Web application. Session management refers to how your application handles and protects these interactions.

Cryptography

How are you protecting secret information (confidentiality)? How are you tamperproofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.

Parameter Manipulation

Form fields, query string arguments, and cookie values are frequently used as parameters for your application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters.

Exception Management

When a method call in your application fails, what does your application do? How much does it reveal about the failure condition? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?

Auditing and Logging

Who did what and when? Auditing and logging refer to how your application records security-related events.



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
VBScript Programmers Reference
Introduction to 80x86 Assembly Language and Computer Architecture
Programming Microsoft ASP.NET 3.5
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy