The 80/20 Rule for Web Application Security

The 80/20 Rule for Web Application Security.

The Web Application Security Consortium has released a guest article
written by Jeremiah Grossman (CTO of WhiteHat Security) on “The 80/20
Rule for Web Application Security: Increase your security without
touching the source code”.

In this article Jeremiah discusses ways to make your website more
difficult to exploit with little effort. It's a short, but interesting

His basic points include:

  • Supress information in default server error messages to
    prevent information disclosure. Give to much info, and an attacker will
    use it against you!
  • Remove or protect hidden files and directories. (in the face
    of the Google Hacking books and stuff.. this has never been more
  • Use web server security add-ons like IIS Lockdown, URL Scan, mod_security, and SecureIIS. This should be a no brainer.
  • Add httpOnly flag to sensitive cookies to reduce the risk of cross scripting attacks (only works on IE currently)

All good points, and easy to do. If you work on web apps, you should take a moment to read this article
[Dana Epp's ramblings at the Sanctuary]

Leave a comment