Application Developer Security Tips
Application security is the last line of defense between an attacker and your organization's sensitive data. The following are some tips that will assist developers in securing applications.
- Use an application framework
- Application frameworks enable the developer to properly secure web applications. Frameworks such as .NET, CakePHP, CodeIgniter, Apache Struts, Spring, and others offer specific helper classes for validation and cleansing of the input from the user and offer classes to securely handle SQL calls.
- Validate and escape user input
- If a field should contain a specific value or format (only a number, letters, or a single line of mixed input) validate the input. Failing to validate user input will lead to problems downstream of the application and potentially allow malicious commands to be executed.
- Once validation criteria have been met, escape the user input, especially when using input within dynamic SQL. When possible, use query bindings or stored procedures. Escaping input and the use of query bindings and stored procedures prevents SQL injection and other forms of code injection.
- Encode output
- Before presenting dynamic content, whether it is from a user or a database, always encode the output. Many languages and frameworks offer functions such as htmlentities() for PHP that will automatically encode special characters. Displaying non encoded special characters will break HTML and cause cross site scripting.
- Protect the user's session
- When possible, store as much of the user's session server side. Information stored in cookies should be encrypted. To protect sensitive information from being transmitted in the clear, always use encrypted forms.
- Encrypt FTP traffic using SFTP, FTPS, or FTPes
- While the content of a regular FTP session may not be sensitive, your user name and password are sent in the clear.
- Turn off error reporting
- While appropriate in a testing environment, error reporting in production may provide a potential hacker enough information to exploit an application.
- Identify legal and policy requirements
- State and Federal law protects education, health, financial, and other sensitive information. Ensure that your application meets the requirements defined by the proper standards, policies, regulations, and statutes.
- Measure the risk associated with each application
- Take into consideration the sensitivity of the information, the number of customers using the application, and the business criticality. High risk applications should be tested rigorously for security vulnerabilities.
- Monitor application activity
- The use of an intrusion detection system or compiling log files for review will better enable you to monitor potential security events.
If you have any questions or concerns about application security, please contact the Information Security Management Office.