D. Securing Web Applications THE FOLLOWING ARE A FEW GUIDELINES on how to secure web applications. For further reading on this subject, visit the owasp.org website. Validate browser input (parameters, special characters, SQL injections) on the server side, not just the client side (that is, JavaScript). If you are working directly with JDBC, consider using java.sql. PreparedStatement versus a java.sql. Statement. Don't use a shell (Runtime.exec) in your web-related code; this is almost certainly an open invitation to hackers. Do not store sensitive data anywhere (databases, files, and so on). If you absolutely must store this information, store it in encrypted form. Don't allow direct access to any system resourcefor example, files, databases, classes, or programs. Turn off directory browsing on all web servers. Don't use real filenames and/or directories (for example, hide JSP files under WEB-INF). Use HTTPS versus HTTP for sensitive data such as username, password, financial data, health information, and secure government information. Require strong user ids and passwords (for example, six- to eight-character minimum, special characters in password, and so on). Hidden HTML fields are not hidden; anyone can view the HTML code in the browser, so keep this mind. Disable accounts, either temporarily or permanently, after three failed attempts. Do not store clear-text passwords (for example, app id/password in config files). Log all or only suspicious activity. Use industry standard, well-tested security protocols over a custom, home-grown solution. POST is slightly better than GET to hide sensitive data (for example, the browser's address bar, access logs). Suggestion: Conduct security testing with Firefox Tamper Data extension. Have source code reviews. Your colleagues might be able to see something you have missed. Beware of cross-site scripting (XSS); a hacker can use this technique to hijack personal information about your users. Last, but not least, be paranoid! There really are people out there trying to guess passwords, hack, and so on; always remain vigilant about security! Think like a hacker; assume the hacker knows as much or more than you, and have regular security audits. Remember, you cannot entirely avoid security threats; however, you can manage and control them. More importantly, there are automated crawlers looking for security holes. When a hole is found, a human can move in for the kill.
|