securitywing

63 Web Application Security Checklist for IT Security Auditors and Developers

by

As you know that every web application becomes vulnerable when they are exposed to the Internet. Fortunately, there are a number of best practices and coutner measures that web developers can utilize when they build their apps. This post will list some proven counter measures that enhance web apps security significantly.

Network security checklist

  1. Most of the web applications reside behind perimeter firewalls, routers and various types of filtering devices. Always make sure that your perimeter devices used for filtering traffic are stateful packet inspection device.
  2. Routers and firewalls should be configured to allow necessary types of traffic such as http or https. Block all other unnecessary types of traffic that you do not need to support your web applications.
  3.  Just like inbound traffic you need to allow outbound traffic. Configure your router and firewall for the necessary outbound traffic from your web applications.
  4.  Make sure your perimeter devices (firewall, routers etc.)  are equipped with appropriate DOS (denial of service) countermeasures. If you are using Cisco routers, you can use rate-limit commands in order to limit the committed access rate.
  5. If you are using load balancers, check out whether it is disclosing any information about your internal networks.
  6.  Think about implementing a network intrusion system and establish appropriate policies and procedures to review logs for attack signature.
  7.  Disable telnet access to all of your network devices for remote access. Use SSH for only for the devices that you need to access for the Internet.
  8. Make a password change policy for all of your remote access devices and also allow only specific IP addresses to access your network remotely.
  9. Conduct network vulnerability scans regularly.
  10.  Every time you make major changes to your network, you may arrange for a penetration test by a third party organization. Make a plan to conduct penetration test at least each year.

Web Server checklist

  1. Whenever your software vendor release software updates or any security patches, apply it to your network after appropriate testing.
  2.  Check your server configuration to ensure that it is not disclosing any sensitive information about the install application software in your server.
  3.   Disallow servers to show directory listing and parent path.
  4.   Disable the unnecessary services on your servers.
  5.  If your software vendor recommends you to use specific security settings, implement it appropriately.
  6.  Disable or delete guest accounts, unnecessary groups and users.
  7.  Enable OS auditing system and web server logging.
  8.  Remove unnecessary modules or extension from your web servers.
  9.  Remove default website and sample contents, if there is any, from all of your web servers.
  10.  Configure authentication mechanism properly in your server directories.
  11.  Always use SSL when you think your traffic is sensitive and vulnerable to eavesdroppers. Make sure you use the appropriate key length for encryption ad use only SSLv3.
  12.  Deploy web contents in a virtual root that do not have any administrative utilities. This virtual root can be a separate drive or separate disk.
  13.   Disable directory listing and parent path in your web server.
  14.  Check your current error message pages in your server. If it is leaking any information about your server, customize it.
  15.  Make sure all the accounts running HTTP service do not have high level privileged.
  16.  Create access control list for all of your web directories and files.
  17.  If your servers have WebDAV (Web Distributed Authoring and Versioning) disable it or delete it if you do not need it. If you have to keep WebDAV, apply proper access restrictions to it.
  18.  Disable web publishing functionalities (such as iPlanet products) if you have any.
  19.  Apply and fine tune your web servers security modules( UrlSCAN in IIS or Mod-security in Apache)
  20.  Scan your server with popular scanners in order to identify vulnerabilities and mitigate the risks.
  21.  Think about using host based intrusion detection system along with network intrusion system. Make a policy to review the logs.

 

Database Server security checklist

  1. Check that if your database is running with the least possible privilege for the services it delivers.
  2.  Update your database software with latest and appropriate patches from your vendor.
  3.  Remove all sample and guest accounts from your database.
  4.  The dynamic sites need to communicate with the database server to generate request contents by the users.  Restrict traffic FLOW between database and web server using IP packet filtering.
  5.  Use appropriate authentication mechanism between your web servers and database servers.
  6.  If your database has a default account, you can either change it or use a separate password.
  7. Make sure database users are granted privileges according to their roles and requirements.
  8.  Delete extended stored procedures and relevant libraries from our database if you do not need them.
  9.  Do not embed database user passwords in the application codes.
  10.   Plan for a database audit.
  11. Change database passwords after predefined period. After predefined period.

 

Application security

  1. Create a thereat model of your application and approve it by the management and IS security team.
  2.  Segregate the application development environment from the production environment. Never use the production data in the test environment for testing purpose.
  3.  Make sure your application’s authentication system match industries best practices.
  4.  Use ACL to control access to application directories and files.
  5.  Use proper input validation technique output encoding in the server side.
  6.  Secure the source codes and files of your web applications.
  7.  Remove temporary files from your application servers.
  8.   Cookies and session management should be implemented according the best practices of your application development platform. Implement a session expiration timeout and avoid allowing multiple concurrent sessions.
  9.   Assign a new session ID when users login and have a logout option.
  10.  Allow least privilege to the application users.
  11.  Implement a CAPTCHA and email verification system if you allow your users to create account with your application.
  12.  Use appropriate encryption algorithm to meet your data security requirements.
  13.  Always place the ‘includes’ files (the files required by the server side scripts) outside the virtual root directory. Apply ACL to your include files if possible. Rename the includes files into .asp in your IIS server.
  14.  Identify the vulnerable API or function calls and avoid them if there is a work around for it.
  15.  Parameterized SQL queries to prevent SQL injection.
  16.  Enable error handling and security logging features.
  17.  Run a security audit on your source codes.
  18.  Perform a black box test on our application. If you do not have any penetration tester in your organization, which is more likely, you can hire a professional penetration tester.
  19.  Change administration and other privileged passwords regularly.
  20. Conduct web application vulnerability scan regularly to identify application layer vulnerabilities of your application.
  21. Always conduct a proper penetration test before moving your application from the development environment to the production environment. Also, run a pen test when you make signification modification to the application.

Are you an application security professional looking for work? Make sure to check the application security jobs available right now

Related posts:

  1. Acunetix Web Vulnerability Scanner to Detect your Website’s Security Loopholes
  2. How to Protect Networks against Advanced Evasion Techniques(AET)
  3. 8 Open Source Web Application Security Testing Tools
  4. Top 15 Network Security Vulnerabilities that System Administrators Must Know