Professional Documents
Culture Documents
Guidelines For Application Security Management Design, Development, and Testing
Guidelines For Application Security Management Design, Development, and Testing
www.techmahindra.com
Table of Contents
1. PURPOSE..................................................................................................................................... 3
2. SCOPE.......................................................................................................................................... 3
3. ACRONYMS AND DEFINITIONS ................................................................................................. 3
4. GUIDELINE - INSTRUCTIONS .................................................................................................... 3
4.1 DESIGN...................................................................................................................................... 3
4.2 CODING ..................................................................................................................................... 4
4.3 SECURITY TESTING ................................................................................................................... 4
4.4 DELIVERY AND DEPLOYMENT ...................................................................................................... 4
4.5 TYPES OF VULNERABILITIES ........................................................................................................ 5
4.6 MANAGEMENT PRACTICES .......................................................................................................... 7
4.6.1 Requirements, Design and Development ...................................................................... 7
4.6.2 Testing ........................................................................................................................... 7
4.7 AUDIENCE .................................................................................................................................. 7
4.8 VERIFICATION MATRIX ................................................................................................................ 7
4.9 TESTING TOOLS ......................................................................................................................... 9
4.9.1 Introduction .................................................................................................................... 9
4.9.2 Evaluation Criteria ....................................................................................................... 10
4.9.3 Common Tools and Features ...................................................................................... 12
5. DOCUMENT HISTORY .............................................................................................................. 16
1. PURPOSE
The purpose of this Application Security Management is to define the requirements for security in all
applications that use the Web Application Security Standards (WASS. Security rules safeguard
applications, and the underlying information, by preventing unauthorized alteration, destruction or loss
of use
2. SCOPE
The intended audience for this Management Practice is all users with responsibility for the
development, implementation and management of security in applications.
This document presents only rules required for application security; all other methodologies for
development remain the same as per QMS/BMS. Any other type of security like Network etc. must be
considered separately.
4. GUIDELINE - INSTRUCTIONS
The logical activities for software development life cycle for a Web Application development project
phases given below:
4.1 DESIGN
The applicable rules to be considered while design secure web applications are
4.2 CODING
All rules in WASS document are applicable during the coding phase depending on the type of
application (Level1, Level 2, Level 3) however for Unit Testing and Code Review, verification Matrix in
this document can be referred.
A bad design can cause potential problems for different types of security vulnerabilities. The following
table lists the vulnerabilities, category wise and the potential problems that can be caused due to bad
design.
Directory Indexing 33
Environment and
Application Server Rules Transport Layer Security 35
Database Security 34
Logging Rules Auditing & Logging 36
4.6.2 Testing
New or Significantly Enhanced version releases of Applications (including Legacy Applications)
must be fully tested against applicable security rules prior to production deployment.
Confidential Information should not be used for purposes of application development and
testing. The use of Confidential Information for development and testing must be authorized by
the business owner of the Application.
Successful testing of an Application’s security rules must be recorded in accordance with formal
change control processes.
Personally Identifiable Information (PII) must not be used in application development or testing,
unless otherwise permitted under applicable data protection laws, rules or regulations (e.g.,
Healthcare Information Portability and Accountability, EU Data Protection Directive).
Where the use of Confidential Information is required for test purposes, access controls must be
applied to Applications and underlying systems in the test environment. Confidential Information
must be deleted from the test environment as soon as feasible following test execution.
4.7 AUDIENCE
The standards must be shared with the customer, customized (if required) and approved before
putting it to use. This must happen before the application design starts.
Project Teams are accountable for ensuring that web applications within their scope are
compliance with this standard.
Project Architects are accountable for ensuring that this standard is appropriately complied with
on projects where they are the named architect.
Project Managers should ensure that compliance with this standard is included in System
Requirements.
Developers are responsible for developing code that complies with this standard.
Web Security Testers must ensure that the application is not vulnerable to vulnerabilities
described in this document.
The Verification Matrix is provided as an aid to navigate the various Rule statements. A indicates that
the Rule statement is verifiable via the corresponding verification technique. Multiple check marks
means the Rule statement is verified by a combination of techniques.
Verification
Rule Responsibility
Rule Description
ID Code Manual
Review Testing
1 Do not allow the login process to start from an unencrypted page.
Password strength should be enforced to use upper and lower case
2
letters, numbers, and symbols.
Password aging should be enforced to ensure that passwords do
3
not remain unchanged for long periods of time.
4 Validate authorization on every request.
Employ Access control in the business layer, not only the
5
presentation layer.
Do not pass any credentials or parameters that can be used to
6
bypass authentication or authorization rules within a URL.
Ensure that all URLs and business functions are protected by an
7 effective access control mechanism that verifies the user’s role and
entitlements.
Only use the inbuilt session management mechanism within the
8
development framework
Ensure that a new session is regenerated upon successful
9
authentication.
10 Ensure that every page has a logout link.
Use an appropriate timeout period that automatically logs out an
11
inactive session.
Do not accept new, preset or invalid session identifiers from the
12
URL or in the request.
Use a standard input validation mechanism to validate all input data
13 for length, type, syntax, and business rules before accepting the
data to be displayed or stored
Ensure that all user-supplied data is HTML/URL encoded before
14
rendering.
15 Use strongly typed parameterized queries or stored procedures.
Validate any application critical information passed as variables in
16
cookies.
Check any user supplied files or filenames taken from the user for
17
legitimate purposes.
18 Avoid detailed error messages that are useful to an attacker.
Utilize custom error pages in order to guarantee that the application
19
will never leak error messages to an attacker
In the case of any system failure, the application must "fail closed"
20
the resource
21 Do not store any confidential information in cookies.
22 Prevent Sensitive Data from Being Cached on Client Side.
Ensure that confidential information is transmitted by using HTTP
23
POST Method.
24 Do not write / store any sensitive information in HTML source.
Ensure proper masking techniques are used while displaying
25
Sensitive Personally Identifiable Information to users.
4.9.1 Introduction
Three types of tools are predominantly used to analyze web security issues:
Vulnerability Scanners:
Taking the concept of network-based vulnerability scanner one step further, application scanners
began appearing several years ago. These tools attempt to do probing of general purpose web-based
applications by attempting a variety of common and known attacks on each targeted application and
page of each application. Most application scanners can observe the normative functional behavior of
an application and then attempt a sequence of common attacks against the application. The attacks
include buffer overruns, cookie manipulation, SQL insertion, cross-site scripting (also referred to as
“XSS”), and the like. Although this feature set sounds as though it might be of significant value to a
test team that is evaluating a web-based application, the chief shortcoming of the technology is that
the tools only test for a relatively small and simplistic set of attack profiles—for example, putting a few
hundred “A” characters into a string variable to look for a buffer overrun situation. Further, since the
testing is still performed in an entirely black box manner, the utility of such tools is greatly diminished
to any serious testing process. That is, although failing any of the tests is demonstrably a bad
situation, passing all of the tests can only provide, at best, a misplaced sense of security. Popular
commercial application scanners include IBM’s Appscan and HP WebInspect.
Ease of Use
Intuitive and easy to use for users new to automated testing tools
Easy to install; tool may not be used if difficult to install
Tasks can be accomplished quickly, assuming basic user proficiency
Easy to maintain automated tests, with a central repository that enables users to separate GUI
object definitions from the script
Can vary how designs and documents are viewed (zooming, multipage diagrams easily
supported, multiple concurrent views); basic windowing
Tool Customization
Breadth of Testing
Coverage refers to the ability of the tools to test for all (known) categories of vulnerabilities relevant to
the product that has been developed. It is important to obtain a sense of the percentage and nature of
potential vulnerabilities the tools tests for. For example, if evaluating a web-based system, the
organization will want to determine whether the test tool identifies issues that may result from
improper input validation, SQL insertion attacks, cross-site scripting attacks, or improper session
management.
Accuracy/False-Positive Rate
Are there a large number of false positives? False positives will result in more analysis work for
the tester, who will be required to manually evaluate the results of the test tool.
Are there a large number of unidentified vulnerabilities?
Test Management
Interoperability
Major test automation suites provide functionality that is useful in any large-scale testing process. For
smaller, more specialized tools,interoperability with other test tool suites may be considered as an
evaluation criterion.
Consulting Requirements
Maturity of vendor
Market share of vendor
Vendor Qualifications
Vendor Support
Product Pricing
violations of the
programming and design
rules set forth in the Design
Guidelines, which are the
Microsoft guidelines for
writing robust and easily
maintainable code by using
the .NET Framework.
The Fortify Source Code
Analyzer (SCA) examines
every line of code and
every program path to
Source
identify hundreds of
Code Fortify Fortify http://www.fortify.com
different types of potentially
Analyzer
exploitable vulnerabilities
early in the development
lifecycle, when they're
cheapest to fix.
HP DevInspect software is
web application security
assessment software
designed to thoroughly
Source analyze today's complex
https://h10078.www1.hp.com/cda/hpms/display/main/
Code DevInspect HP web applications. It delivers
hpms_content.jsp?zn=bto&cp=1-11-201-200_4000_100__
Analyzer fast scanning capabilities,
broad assessment
coverage and accurate
web application scanning
results.
DevPartner Studio
Professional is a suite of
tools allowing a developer
to analyze .NET code for
Code Quality and
Complexity Memory Leak
Detection Memory
Optimization Performance
Source Analysis (Timing)
Code Compuware Performance Expert (CPU, http://www.compuware.com/quality.htm
Analyzer Disk and Network resource
usage) Code Coverage
Analysis Fault Simulation
(both .NET and
environmental) Error
Detection and Interop
monitoring for C/C++ using
BoundsChecker
technology.
Rational AppScan provides
Vulnerability Web application security
AppScan IBM http://www.ibm.com/software/rational/offerings/websecurity/
Scanner vulnerability scanning,
testing, and reporting.
HP WebInspect software is
Vulnerability web application security https://h10078.www1.hp.com/cda/hpms/display/main
WebInspect HP
Scanner assessment software /hpms_content.jsp?zn=bto&cp=1-11-201-200_4000_100__
designed to thoroughly
common usage,
WebScarab operates as an
intercepting proxy, allowing
the operator to review and
modify requests created by
the browser before they are
sent to the server, and to
review and modify
responses returned from
the server before they are
received by the browser.
WebScarab is able to
intercept both HTTP and
HTTPS communication.
The operator can also
review the conversations
(requests and responses)
that have passed through
WebScarab
Web
Application Used for web application
Paros Free http://www.parosproxy.org/
Assessment security assessment
Proxy
Fiddler is a Web
Debugging Proxy which
logs all HTTP(S) traffic
between your computer
and the Internet. Fiddler
allows you to inspect all
HTTP(S) traffic, set
breakpoints, and "fiddle"
Web with incoming or outgoing
Application data. Fiddler includes a
Fiddler Free http://www.fiddler2.com/fiddler2/
Assessment powerful event-based
Proxy scripting subsystem, and
can be extended using any
.NET language. Fiddler is
freeware and can debug
traffic from virtually any
application, including
Internet Explorer, Mozilla
Firefox, Opera, and
thousands more.
TamperIE is a simple
Internet Explorer Browser
Web
Helper Object which allows
Application
TamperIE Free lightweight tampering of http://www.bayden.com/TamperIE/
Assessment
HTTP requests from
Proxy
Internet Explorer 5 and
above.
Web
TamperData is an
Application
Tamper Data Free extension to track and https://addons.mozilla.org/firefox/addon/966
Assessment
modify http/https requests
Proxy
5. DOCUMENT HISTORY