The 80/20 Rule for Web Application Security.
The Web Application Security Consortium has released a guest article
written by Jeremiah Grossman (CTO of WhiteHat Security) on “The 80/20
Rule for Web Application Security: Increase your security without
touching the source code”.
In this article Jeremiah discusses ways to make your website more
difficult to exploit with little effort. It's a short, but interesting
read.
His basic points include:
- Supress information in default server error messages to
prevent information disclosure. Give to much info, and an attacker will
use it against you! - Remove or protect hidden files and directories. (in the face
of the Google Hacking books and stuff.. this has never been more
important) - Use web server security add-ons like IIS Lockdown, URL Scan, mod_security, and SecureIIS. This should be a no brainer.
- Add httpOnly flag to sensitive cookies to reduce the risk of cross scripting attacks (only works on IE currently)
All good points, and easy to do. If you work on web apps, you should take a moment to read this article.
[Dana Epp's ramblings at the Sanctuary]