Security - Miscellaenous


// Security - Miscellaneous:

OWASP: Open Web Application Security Project
XSS: Cross Site Scripting
CSRF: Cross Site Request Forgergy

Push left. Focus on making security an integral part of your culture throughout 
your development organization.

The use of static code analysis tools (FindBug, Snort, SONAR) is also recommended.
The use of security scanner such as (ZAP, Chimera) is also recommended.

When the user want to change his / her password, we should ask for the old 
password.  This is to confirm that the password is not being automatically 
changed without the user's knowledge (such as via a XSS or CSRF attacks).

Even though it is possible for us to configure the browser so that the user 
does not have to type the username and password in order to log into a web 
application (intranet) similar to how we typically configure our terminal to 
use passwordless ssh, it is still considered a good idea to consider using both 
a password and SSL client authentication combined.  This is for the same reason 
why we require the user to enter the old password when the user want to change 
his password.

1. Make sure to use only HTTPS for calling out to all external endpoints that 
   interact with your application. This will help prevent against 
   malicious network adversaries.  HTTP does not provide any security guarantees 
   and gives a network attacker the ability to intercept, modify or drop network 

2. Embedding HTTP resources on an HTTPS page leads to Mixed Content 
   vulnerabilities. A network attacker can now tamper with the HTTP resource 
   and control what's loaded onto the page. 

3. When using external resources as a part of your application, make sure to 
   host them as a static resource instead of dynamically loading it when the 
   page is loaded. This gives you control of what's loaded in the DOM at 

4. Any cookies set by your application for authentication, authorization, or 
   which contain private or personally identifiable information must set the 
   Secure flag to ensure they are only sent over HTTPS.  When the server sets 
   cookies without the Secure attribute, the browser will send the cookie back 
   to the server over either HTTP or HTTPS connections.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License