Master Application Security with 2 Concepts

--

@author Randy Gingeleski

@since 11/08/2016

@see application security

--

Application security boils down to two concepts. Everything else extends from these.

1. NO INPUT IS TRUSTWORTHY

Never assume any input is trustworthy. This includes text fields, strings encoded on RFID cards, uploads of images or other files, GETs and POSTs … anything from outside the application.

For every typical entry into your username field, imagine one SQL injection attempt and 10,000 bruteforce attempts.

2. NEVER PROVIDE MORE ACCESS THAN NECESSARY

Your users should have bare minimum privileges to meet their needs. If seeing that other users exist isn’t a use case, they shouldn’t be able to do that.

Beyond functionality, this applies to information. Nobody should know your application is ASP.NET beyond technical staff. Not even managers if it doesn’t pertain to their job. Hide those “.aspx” extensions (htaccess is one way) and redact error output.

“Information” also means client-accessible source code like HTML. Assume your HTML will be scrutinized all day long. The excrement of lazy developers is commented-out HTML and Javascript. A painful amount of that is valuable to security researchers.