I am sure you are very excited to launch your website as soon as the coding for minimum functionality is complete. However, I would only suggest some of the following as bare minimum which you may consider as important things to be taken care before your website launch:
- Input validation: Some of the following OWASP top 10 vulnerabilities can be averted if only we do coding for input validation. You would give an argument that you actually do the input validation and what different you need to do. All I would say is what you do in form of input validation is one or more of business rules representing boundary conditions. However, there are vulnerabilities such as following which needs check for different things such as special characters etc.
The above two are one of the most common attacks which could be avoided by using simple input validation frameworks mentioned later. So, what kind of coding is required for doing input validation for SQL injection and XSS? Do not worry! All you have to do is use one of the following OWASP ESAPI frameworks for different programming languages which are using for coding your web application. ESAPI stands for Enterprise Security API and is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.
- Sensitive Data Exposure (Password Policy): Another important aspect to take care is storing sensitive data such as password in encrypted form. The password is the most common sensitive data out of all, which has to be encrypted using the best practice suggested. Following is the password policy you may want to consider:
- Store password using one-way hash methodology. This is because only user could know his password and no one else.
- For change of password, user should be asked to enter new password along with old password, and if only old password matches with the stored password, the password gets updated with new password.
- For password recovery, user should be sent an email with a link consisting of a security token (expirable). Clicking on the link takes user to the page which allows him to change his password, log him in the page. An alternate way is to send an auto-generated password and ask user to change the password once user logs in for the first time.
- For security of data in transit, you may want to adopt SSL based transport.
If, you web application consists of other sensitive data such as credit card information, SSN etc, you must want to adhere to data encryption, storage and retrieval policies with these data.
- Error Page Configuration & Coding: In order to avoid user land up with error page displaying server & other related information, you may want to configure an error page for unhandled or error prone request and put appropriate hooks in your code to let user land up on one of those page in case of errors. This is one of the key aspect to handle security threat arising out of security misconfiguration.
If you take care of the above minimum things, you have taken care of some of the key OWASP Top 10 threats such as following:
- SQL Injection
- Cross-site Scripting (XSS)
- Sensitive Data Exposure
- Security Misconfiguration