If you can't read please download the document
Upload
ben-haines
View
216
Download
2
Embed Size (px)
Citation preview
Web Application Security
Web Application SecurityLightning Talk : London web Thames Cruise 2011Ben Haines [email protected] basicsApplicationInput ValidationFormsURLsSQLAuthentication, Authorisation & Passwords
InfrastructurePatching Servers (less of an issue if using PaaS hosting)Configuration (dont run services as root, iptables, least info possible, etc.)
Quick winsApplication Frameworks often use industry best practicePasswordsSession HandlingDBSubscribe to OWASP Youtube VideosUse security libraries where possible e.g. .Net AntiXSS libraryLogging anybody?Finally, dont roll your own (unless you know what you are doing, even then DONT!)Great (free) ResourcesEducationOWASP.org (Open Web Application Security Project)SANS, SAFECode (e.g. Fund. Practices for Secure Software Dev)ToolsVega, OSS web application security scanner (subgraph.com)Metasploit, testing frameworkBlogsBruce SchneierFull-Disclosure, BugTraqQuestionsNo, BASE64 is not appropriate for encrypting/hashing passwords ;)