How are Web Applications Securely Coded?
As organizations become more mindful of the critical role of cybersecurity in their business, they are increasingly interested in web application development with security at the forefront. A savvy developer with a security mindset will engage in coding practices such as the following recommendations from the Open Web Application Security Project (OWASP)1:
Input validation. Practices include: conducting all data validation on a trusted system, identifying and classifying all data sources, having a centralized input validation routine, encoding data to a common character set before validating, validating for expected data types, data range, and data length.
Output encoding. Practices include: conducting all encoding on a trusted system, utilizing a standard and tested routine for each type of outbound encoding, encoding all characters unless they are known to be safe for the intended interpreter, and sanitizing all output of untrusted data to operating system commands.
Authentication and password management. Practices include: requiring authentication for all pages and resources (except those specifically intended to be public), enforcing authentication controls on trusted systems, establishing and utilizing standard and tested authentication service when possible, using centralized implementation for all authentication controls, implementing password hashing on trusted systems, utilizing authentication for connections to external systems that involve sensitive information and functions, and having password and reset changing operations that require the same level of controls as account creation and authentication.
Session management. Practices include: using the server or framework’s session management controls, creating session identifiers on trusted systems, ensuring logout functionality fully terminates the associated session or connection and is available from all pages protected by authorization, and generating new session identifiers on any re-authentication.
Access control. Practices include: using only trusted systems, using a single site-wide component to check authorization, enforcing authorization controls on every request including those made my server side scripts, restricting access to protected URLs, protected functions, object references, services, application data to only authorized users, and implementing account auditing and enforcing the disabling of unused accounts.
Cryptographic practices. Practices include: implementing all cryptographic functions used to protect secrets from the application user on a trusted system, protecting master secrets from unauthorized access, and establishing and utilizing a policy and process for how cryptographic keys will be managed.
Error handling and logging. Practices include: using error handlers that do display debugging or stack trace information, implementing generic error messages and using custom error pages, properly freeing allocated memory when error conditions occur, implementing all logging controls on a trusted system, ensuring logs contain important log event data, and utilizing a master routine for all logging operations.
Data protection. Practices include: implementing least privilege, protecting all cached or temporary copies of sensitive data stored on the server from unauthorized access and purging those temporary working files as soon as they are no longer required, protecting server-side source-code from being downloaded by user, removing comments in user accessible production code that may reveal backend system or other sensitive information, disabling auto complete features on forms expected to contain sensitive information, and implementing appropriate access controls for sensitive data stored on the server including cached data, temporary files, and data that should be accessible only by specific system users.
Communication security. Practices include: implementing encryption for the transmission of all sensitive information, ensuring TLS certificates are valid and have the correct domain name, are unexpired, and are to be installed with intermediate certificates when required, utilizing TLS connections for all content requiring authenticated access and for all other sensitive information, and specifying character encodings for all connections.
System configuration. Practices include: ensuring frameworks and system components are running the latest approved version and have all patches issues for the version in use, restricting the web server, process, and service accounts have least privileges, removing all unnecessary functionality and files, disabling unnecessary HTTP methods, and ensuring that security configuration stored for the application is able to be outputted in human readable form to support auditing.
Database security. Practices include: using strongly types parameterized queries, utilizing input validation and output encoding addressing meta characters, ensuring that variables are strongly types, using secure credentials for database access, and removing or changing all default administrative passwords using strong passwords/phrases or multi-factor authentication.
File management. Practices include: require authentication before allowing a file to be uploaded, limiting the type of files that can be uploaded to only those types that are needed for business purposes, preventing or restricting the uploading of any file that may be interpreted by the web server, turning off execution privileges on file upload directories, and ensuring that application files are resources are read-only.
Memory management. Practices include: utilizing input and output control for untrusted data, double-checking that the buffer is as large as specified, truncating all input strings to a reasonable length before passing them to the copy and concatenation functions, using non-executable stacks when available, and avoiding the sue of known vulnerable functions (e.g., printf, strcat, strcpy, etc.).
General coding practices. Practices include: using tested and approved managed code rather that creating new unmanaged code for common tasks, utilizing locking to prevent multiple simultaneous request or using a synchronization mechanism to prevent race conditions, protecting shared variables and resources from inappropriate concurrent access, restricting users from generating new code or altering existing code, and implementing safe updating.
1 OWASP, 2010, “OWASP Secure Coding Practices Quick Reference Guide”