Top 10 Tips to FAIL Security Code Reviews for Web Applications

Top 10 Tips to FAIL Security Code Reviews for Web Applications

Views:14240|Rating:5.00|View Time:5:2Minutes|Likes:15|Dislikes:0
Based on the top 10 security mistakes web developers make.
Video by: Iman Louis
Voices: Mike D’Antonio, Iman Louis

input validation primarily means ensuring that the user fills out all mandatory fields not really it's much more than that to secure your application define your trust boundaries and assume that all input coming from outside those boundaries is malicious whether it's user input input flowing from one component to another or input coming from an external file or database always validate for type format length and range of values use regular expressions to perform whitelist validation event perform blacklist validation header information can be used for security decisions since the user cannot modify it no HTTP headers are not reliable so do not base security decisions on them similarly the query string can be easily altered so verify each parameter before you use it to boost your applications performance choose client-side validation / server-side validation to secure your application perform all required validation on the server client-side validation can be used to improve the user experience but redundantly never alone don't disclose clear tech secrets to the user bury them in hidden form fields or in a cookie actually the most secure approach is not to store secrets at all for example store password hashes instead of real passwords but if you have to store secrets then the server is a better place than the client if you must store secrets on the client such as in cookies then encrypt the data and destroy the cookie upon session termination credentials can be stored in clear text as long as they are hidden within configuration files or compiled code to secure your application encrypt secrets like connection strings encryption keys and passwords and never rely on security by obscurity and remember that secrets hard-coded in your code can be disclosed by decompiling code dynamically built sequel statements offer the most flexibility with the least coding effort to secure your application use parameterize queries or store procedures with strongly typed parameters don't use HTTP since it slows down your pages response time to secure your application use HTTP to submit sensitive information such as a login form or forms with client data to boost your applications responsiveness take advantage of the latest frameworks toolkits and libraries the secure application use Dryden through technologies that have been approved for use in your organization for ease of maintenance simplify your security model to secure your application grant the least privilege by default and have granular and distinct security roles as needed 99% of attacks come through the user interface so focus your security defense there to secure your application defending them implement security in each layer of the application right hopefully by now you know the basics of secure application development if you have any questions contact us at Vic sonic Mediacom Oh

One Reply to “Top 10 Tips to FAIL Security Code Reviews for Web Applications”

  1. Louis, I

    @firetail9x Thanks.
    Don't know… my video on the SDLC has 125,000 hits so far. Maybe that shows that security is not on the mind of most developers?

Leave a Reply

Your email address will not be published. Required fields are marked *