Design Specifications for Web Security (4.1)

Main Content

• Enter check Policy
• Separate restricted access
• Effective account management practices
• Effective authorization and verification policy development
• Protect sensitive data
• Protect user sessions
• Parameter manipulation)
• Security handling exception
• Protection configuration and management
• Monitoring and logging considerations

Overview

Many Web applications require architects, designers,ProgramSecurity issues. Almost all secure web applications are the result of both the above-mentioned efforts on security.

In addition, reliable architecture and design require that deployment and security policies be considered at the initial stage of the design phase. Otherwise, you may not be able to deploy on an existing infrastructure or deploy it only when the security level is reduced.

This chapter includes a series of architectural and design specifications. And are classified according to common security weaknesses. The Web security design specifications are not only the key to Web security, but also the areas that often make mistakes.

How to Apply

This chapter focuses on the principles and specifications that must be followed when designing applications. The following are the suggestions for using this chapter.

• First, you must know the threats to the application so that you can determine whether all threats are taken into account during design. Read chapter 2 "Threats and Countermeasures" to understand the threats to be considered. Chapter 2 illustrates the threats that may endanger applications. You should keep these risks in mind throughout the design phase.
• When designing an application, the system processes your possibly attacked part. This includes deployment considerations, input verification, user authentication and authorization, encryption and sensitive data protection, management and configuration, sesion, exception handling, monitoring, and logs.

Key Points of architecture and design in Web Applications

Web applications are a challenge for designers and programmers. Because the HTTP division is stateless, the application must be able to identify the connection information of each user. To do this, the application must implement some form of user authentication. Subsequent user authorization decisions are also based on user authentication, which essentially requires that the authentication process be consistent with the security requirements of the session mechanism used to mark authorized users. Verification and Session Security are one of the many problems that designers and programmers need to face. In illustration 4.1, the important issues that must be addressed during the design process are highlighted.

The design specifications in this chapter are categorized according to the weak links in the application. Based on past experience, the design deficiencies in these key areas are more likely to bring security vulnerabilities. Table 4.1 lists the categories of weak links and identifies possible problems caused by improper handling of each weak link.

 

Deployment considerations

During the design process, you should assess the coordination between the application security policy and the target deployment environment infrastructure of the application. Generally, the target environment is rigid, so the application design must consider the environmental restrictions. Sometimes it is necessary to make some trade-offs on the design and infrastructure, such as protocol and port restrictions or special deployment technologies. Identifying limitations at the beginning of the design phase can avoid major troubles in the later stage. In addition, you can get help from the network and infrastructure teams as soon as possible.

Design Guidelines for Secure Web Applications

Dizzy. It took more than two hours. Tired. I will go to work tomorrow...