Authentication and authorization for Web applications

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? How do I set up a secure login page using membership in ASP.NET? Security testing sales, marketing websites Are there application security certification standards? Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Application security careers have bright future Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science'

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Defining authentication and authorization mechanisms for application access doesn't guarantee end-to-end security of an application whether it resides within a local system or made accessible over a network. Authentication and authorization mechanisms just contribute to verifying the user's identity. These mechanisms confirm the user is who he or she claims to be and define what actions the user is allowed to perform after granting access to the system. In addition, you would need to ensure the confidentiality and integrity of the communication and data exchanged during the application access and also to ensure non-repudiation and accountability make sure all actions are logged and available for audit.

Software security: Creating a secure login page with Java How to create a secure login page using ASP.NET OWASP Guide to Building Secure Web Applications and Web Services: Session Management

Prior to your application deployment, make sure that all the Web-based deployment and its security requirements of your application runtime environment (ex. J2EE or Microsoft .NET) and its target host system are addressed and made available to your application. Here is a list of best practices you must consider for your Web deployment:

1. Minimize and harden the operating system. That is, running the Web and application server. Ensure that all unsolicited and untrusted services are disabled.



2. Make sure the application deployed Web server or Application server resides in a DMZ (Firewall) environment. Use a stateful firewall inspection to keep track of all Web-tier transmissions and protocol sessions.



3. Secure Web server user permissions and administrative controls with appropriate access control mechanisms and privileges. All administration tasks must be carried out in an encrypted and trusted communication.



4. Secure all incoming and outgoing communication to the Web server using HTTP over SSL/TLS (HTTPS) protocol. Enforce strong encryption with stronger ciphers.



5. Make sure that you don't flip back to HTTP from a HTTPS session.



6. Disallow all direct access to the application, make sure the application resides on a server accessed via a reverse proxy or Network address translation (NAT) -based IP addresses. Use certificates for server-to-server communication.



7. Encrypt all application specific properties accessible to the Web server and stored on local disks.



8. Make sure to verify and validate all input and output form fields and its request/responses. Track all user sessions by identifying the user and the host destination originating the request and receiving the responses.



9. Log and audit all user actions, security and business functions.



10. Make sure to set session timeouts for all active sessions and also logout the user from all residual sessions after session expiry.