Web application security
Web application security is a branch of information security that deals specifically with security of websites, web applications and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.
Security threats
The majority of web application attacks occur through cross-site scripting and SQL injection attacks which typically are made possible by flawed coding and failure to sanitize application inputs and outputs. These attacks are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.According to the security vendor Cenzic, the top vulnerabilities in March 2012 include:
| 37% | Cross-site scripting |
| 16% | SQL injection |
| 5% | Path disclosure |
| 5% | Denial-of-service attack |
| 4% | Arbitrary code execution |
| 4% | Memory corruption |
| 4% | Cross-site request forgery |
| 3% | Data breach |
| 3% | Arbitrary file inclusion |
| 2% | Local file inclusion |
| 1% | Remote file inclusion |
| 1% | Buffer overflow |
| 15% | Other, including code injection, etc. |
The Open Web Application Security Project provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. From this data, approximately 2.3 million vulnerabilities were discovered across over 50,000 applications. According to the OWASP Top 10 - 2017, the ten most critical web application security risks include:
- Injection
- Broken authentication
- Sensitive data exposure
- XML external entities
- Broken access control
- Security misconfiguration
- Cross-site scripting
- Insecure deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
Best practices recommendation
Security standards
OWASP is the emerging standards body for web application security. In particular they have published the OWASP Top 10, which describes in detail the major threats against web applications. The Web Application Security Consortium has created the Web Hacking Incident Database and also produced open source best practice documents on web application security. The WHID became an OWASP project in February 2014.Security technology
While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:- Black box testing tools such as Web application security scanners, vulnerability scanners and penetration testing software
- White box testing tools such as static source code analyzers
- Fuzzing, tools used for input testing
- Web application security scanner
- Web application firewalls, used to provide firewall-type protection at the web application layer
- Password cracking tools for testing password strength and implementation