User:Ecargasil1828

Web Application Security: security that focuses specifically on security of a website, services and web applications. The security is essentially the same as with any application; however, the web introduces new or increased risk due to the vast amount of traffic and constant exposure.

Vulnerabilities
The primary vulnerabilities impacting web application include the following vulnerabilities: Injection, Cross-site scripting, Broken authentication and session management, insecure direct object references, cross site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection and invalidated redirects and forwards.

Security Measures
To protect against these vulnerabilities, it is important to know how to apply security to the routine development tasks that a developer performs. There are three primary means to writing secure features.
 * 1) Explicitly describe the format of a valid request the application should process.  Validate on both the client and the server side.
 * 2) Reduce the attack surface by applying the principle of least privilege.  Provide the user with permissions to allow him to accomplish what he needs to do but no more.  Minimalize the capabilities of programming calls and objects that are used to write the application.
 * 3) Classifying and Prioritizing threats by using one or more of methods including STRIDE, IIMF, CIA, CIA-AN, CWE, DREAD or CVSS.

Authentication
Authentication is accomplished through user names and passwords. Password authentication is inherently insecure due to insecure transmissions, unnecessary exposure, insecure storage and man in the middle attacks. As a result, minimum password configuration should be introduced including minimum length (8 characters), minimum complexity requirements,  reuse restrictions,  and password cannot equal user name. Authentication should be performed every single time a request is made to a protected resource. Two factor authentication may be used to strengthen authentication controls.

Authorization
Authorization is the process to determine if someone or something is allowed to access part or all of a web application. Web application authorization is dependent on session management. Session managements allows a client and server to keep track of a user and ensure the user is only doing what the user is authorized to do. Authorization is typically performed at multiple points or layers within the application based on what is being accessed and from where.

Browser Security
The same-origin policy is a standard browser security principle. It states that when a user is viewing a web page in a browser, the script running should only be able to read from or write to the content of another web page if both pages have the same “origin”.