80/20 Rule for Web Application Security
[By way of Dana Epp]
The Web Application Security Consortium has released a guest article written by Jeremiah Grossman (CTO of WhiteHat Security) on "The 80/20 Rule for Web Application Security: Increase your security without touching the source code".
In this article Jeremiah discusses ways to make your website more difficult to exploit with little effort. It's a short, but interesting read.
His basic points include:
- Supress information in default server error messages to prevent information disclosure. Give to much info, and an attacker will use it against you!
- Remove or protect hidden files and directories. (in the face of the Google Hacking books and stuff.. this has never been more important)
- Use web server security add-ons like IIS Lockdown, URL Scan, mod_security, and SecureIIS. This should be a no brainer.
- Add httpOnly flag to sensitive cookies to reduce the risk of cross scripting attacks (only works on IE currently)
All good points, and easy to do. If you work on web apps, you should take a moment to read this article.
This looks like a good article and a welcome addition to knowing how best to secure your web site.