Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Guide to Building Secure Web Applications

Posted by michael on from the much-needed-little-heeded dept.

some-guy writes "The Open Web Application Security Project has released A Guide to Building Secure Web Applications, Version 1.1 "While this document doesn't provide a silver bullet to cure all the ills, we hope it goes a long way in taking the first step towards helping people understand the inherent problems in web applications and build more secure web applications and Web Services in the future...""

6 of 126 comments (clear)

  1. For those of you using PHP in particular... by angst7 · · Score: 5, Informative

    As a supplimentary reading assignment, this months Linux Journal is running an similar, interesting article on Programming PHP with Security in Mind.

    ---
    Jedimom.com, choo choo choosing you...

    --
    StrategyTalk.com, PC Game Forums
  2. "click through" by Conare · · Score: 5, Informative

    Any security mechanism should be designed in such a way that when it fails, it fails closed. That is to say, it should fail to a state that rejects all subsequent security requests rather than allows them

    This is one of my favorites. Most browsers fail SSL connections with a warning that allows the user to just "click through" if the certificate is expired, does not match the DNS name of the site, or is issued by an untrusted authority. Only the last of these should be a warning (since you may want to trust it anyway. The other two should be connection failures. I am glad they included this.

    --
    Stop Continental Drift! Reunite Gondwanaland!
  3. Re:Security - Why there is ignorance MONEY! by TheOste · · Score: 3, Informative

    >Why is there so much ignorance about security?

    Project Manager: Make it work as quick as possiable, this just a demonstration.
    Devloper: It works, but it isn't secure.
    Project Manager: Next project, we do not have more features to add. Put security on the puch list of things to do if it goes production.
    Devloper(Next week after site goes into production without speaking to the devloper): You know that site that was just supposed to be a demonstration, it has security problems.
    Project Manager: Is it working?
    Devloper: Yes.
    Project Manager: Is the flaw easy to find?
    Programmer: Not by your average user, but by someone looking yes.
    Project Manager: I do not see a reason to spend the money to secure this application at this time. It seems to be in production just fine, you are a better devloper than what I thought.

    Six Months down the road, the devloper gets strung up when someone accesses all of the inforamtion at the site. I have seen this happen far to many times in the real world.

  4. Re:Secure Web Applications by Wizard+of+OS · · Score: 3, Informative

    Found the document: http://members.rogers.com/razvan.peteanu/

    Or a direct link: http://members.rogers.com/razvan.peteanu/best_prac _for_sec_dev4.pdf

    --

    --
    If code was hard to write, it should be hard to read
  5. another resource by tommck · · Score: 3, Informative
    There's also a decent book out called Quality Web Systems (I know... amazon! here it is at bookpool) that might be useful to some. It talks about lots of aspects of securing (and testing that security) web sites.

    T

    --
    ---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
  6. Book that covers similar topics by PaschalNee · · Score: 3, Informative

    See also Building Secure Software: How to Avoid Security Problems the Right Way.