The guide defines a set of application vulnerability categories to help you design and build secure Web applications and evaluate the security of existing applications. These are common categories that span multiple technologies and components in a layered architecture. These categories are the focus for discussion through the designing, building, and security assessment chapters in this guide.
Category | Description |
---|---|
Input Validation | How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. |
Authentication | Who are you? Authentication is the process that an entity uses to identify another entity, typically through credentials such as a user name and password. |
Authorization | What can you do? Authorization is the process that an application uses to control access to resources and operations. |
Configuration Management | Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues. |
Sensitive Data | Sensitive data is information that must be protected either in memory, over the wire, or in persistent stores. Your application must have a process for handling sensitive data. |
Session Management | A session refers to a series of related interactions between a user and your Web application. Session management refers to how your application handles and protects these interactions. |
Cryptography | How are you protecting secret information (confidentiality)? How are you tamperproofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity. |
Parameter Manipulation | Form fields, query string arguments, and cookie values are frequently used as parameters for your application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters. |
Exception Management | When a method call in your application fails, what does your application do? How much does it reveal about the failure condition? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully? |
Auditing and Logging | Who did what and when? Auditing and logging refer to how your application records security-related events. |