The Web Application Security Consortium has released a guest article
written by Jeremiah Grossman (CTO of WhiteHat Security) on “The 80/20
Rule for Web Application Security: Increase your security without
touching the source code”.
In this article Jeremiah discusses ways to make your website more
difficult to exploit with little effort. It's a short, but interesting
His basic points include:
- Supress information in default server error messages to
prevent information disclosure. Give to much info, and an attacker will
use it against you!
- Remove or protect hidden files and directories. (in the face
of the Google Hacking books and stuff.. this has never been more
- Use web server security add-ons like IIS Lockdown, URL Scan, mod_security, and SecureIIS. This should be a no brainer.
- Add httpOnly flag to sensitive cookies to reduce the risk of cross scripting attacks (only works on IE currently)