alumni, faculty, staff, and partners regularly conduct business with
Penn using web applications. Even if you have perimeter security
mechanisms in place, firewalls have to keep Ports 80 and 443 (SSL)
open in order to process web-based transactions and queries. It is
through these two ports that opportunities exist to compromise Penn's
resources. Vulnerabilities may be created during web application
development that are common and publicly known that could be used by
hackers to compromise Penn web servers and resources. A web
application invites end-users to send HTTP requests. Attacks can be
buried within these requests that sail past firewalls, filters,
platform hardening, and intrusion detection systems without notice
because they are inside legal HTTP requests. Even "secure"
websites that use SSL just accept the requests that arrive through
the encrypted tunnel without scrutiny.
As a result, Penn established a Secure Web Application Team (SWAT) to
develop guidance for those who develop web applications to prevent
these common vulnerabilities from being created on Penn's websites.
SWAT supplemented the Open Web Application Security Project (OWASP)
Top 10 Web Application Security Vulnerabilities Model with additional
guidance and examples specific to Penn. The Top 10 List focuses on
the most serious of vulnerabilities and provides a minimum standard
for web application security.
Existing code should be checked
for these vulnerabilities immediately, as these flaws are being
actively targeted by attackers. Development projects should address
these vulnerabilities in their requirements documents and design,
build, and test their applications to ensure that they have not been
introduced. Project managers should include time and budget for
application security activities including developer training,
application security policy development, security mechanism design
and development, penetration testing, and security code review.