What are typical security requirements? Are there some standard ones that can be used for any Web application?
I believe what you are looking for is a checklist of security considerations to validate in a Web application . An excellent source for a checklist like this is the OWASP Application Security Verification Standard. This is a realistic set of standards, formed into a maturity matrix, which can be implemented on pretty much any Web application. It’s good to use as a metric for analyzing application security in deployment, as a set of standards to assist development organizations in the design, implementation and test phases, and as a minimum bar for the procurement phase when analyzing third-party applications or for accepting outsourced deliverables. This standard is implemented in levels, with level 1 simply requiring an automated vulnerability scan, level 2 graduating to manual evaluation, level 3 requiring a design review (essentially a threat model) and level 4 requiring code review. Before starting a Web application project, the team should evaluate the project requirements and agree in advance on the security verification standard which is most appropriate. For instance, a project for a power grid application would require a level 4, whereas an internal wiki for a local company probably needs a level 1 or level 2.
A similar checklist approach to actually testing the application would be to implement the OWASP Top Ten list into a test plan, covering each page of the Web application for the applicable vulnerabilities. The top ten was recently updated to reflect the every-changing top vulnerabilities, so by passing a top ten evaluation you’ll know your site is relatively resilient to penetration. Visit the OWASP Top Ten project online for more information.
Finally, a customized security testing solution would be in order for your company or engineering team. Like any sports team, each group has their strengths and weaknesses. Come together as a group to discuss your security knowledge. Review defects and production changes for the past few years and determine what your weaknesses are. Then develop an internal checklist (or integrate it into your application security verification matrix) and execute that checklist as final acceptance testing for each deployment.
This was first published in March 2011