Friday, March 14, 2008

Hack-Resistant Web Applications

Building more hack-resistant Applications

With so many opportunities for hackers to exploit Web technology, what can organizations do to protect their Web-Based assets?

First, think defensively. Instead of focusing only on how to attract users to your site, assume that some of those users will try to manipulate your applications. Help build security into your Web applications by testing for vulnerabilities throughout the development and delivery lifecycle. Use automated tools to help ensure that you are testing all your applications and detecting vulnerabilities that can slip through the cracks with manual testing. In addition, keep the following rule in mind:

* never trust data that comes from a user, and
* never make assumptions about the limits of a user's technologies.

In other words, all data from outside sources is potentially dangerous. Assume that anything a user could theoretically manipulate will be manipulated. More-over, just because a user is supposedly employing a specific technology, do not assume that it will constrain his or her actions. For example, even if a browser does not show hidden fields in a page's HTML code, you should assume that some users will be able to find and manipulate those fields before sending pages back to your server.

No comments: