Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Saturday, July 26, 2014

 
  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption & digital signatures
 
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Top 10 Web Application Security Vulnerabilities

Based on OWASP Research

Introduction

Students, alumni, faculty, staff, and partners regularly conduct business with Penn using web applications. Even if you have perimeter security mechanisms in place, firewalls have to keep Ports 80 and 443 (SSL) open in order to process web-based transactions and queries. It is through these two ports that opportunities exist to compromise Penn's resources. Vulnerabilities may be created during web application development that are common and publicly known that could be used by hackers to compromise Penn web servers and resources. A web application invites end-users to send HTTP requests. Attacks can be buried within these requests that sail past firewalls, filters, platform hardening, and intrusion detection systems without notice because they are inside legal HTTP requests. Even "secure" websites that use SSL just accept the requests that arrive through the encrypted tunnel without scrutiny.

As a result, Penn established a Secure Web Application Team (SWAT) to develop guidance for those who develop web applications to prevent these common vulnerabilities from being created on Penn's websites. SWAT supplemented the Open Web Application Security Project (OWASP) Top 10 Web Application Security Vulnerabilities Model with additional guidance and examples specific to Penn. The Top 10 List focuses on the most serious of vulnerabilities and provides a minimum standard for web application security.

Existing code should be checked for these vulnerabilities immediately, as these flaws are being actively targeted by attackers. Development projects should address these vulnerabilities in their requirements documents and design, build, and test their applications to ensure that they have not been introduced. Project managers should include time and budget for application security activities including developer training, application security policy development, security mechanism design and development, penetration testing, and security code review.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania