Difference between revisions of "Web Application Security"

From UFRC
Jump to navigation Jump to search
 
Line 18: Line 18:
  
 
Please contact [https://support.rc.ufl.edu UFIT RC Support]] if you have any questions or concerns in regards to application(s) hosted in PUBAPPS.
 
Please contact [https://support.rc.ufl.edu UFIT RC Support]] if you have any questions or concerns in regards to application(s) hosted in PUBAPPS.
 
==Summary of Guidelines==
 
 
<pre>
 
    Input Validation:
 
        Validate all input on the server side
 
        Implement strong input validation for all user-supplied data
 
        Use whitelist validation where possible
 
 
    Output Encoding:
 
        Encode all user-supplied data before displaying it in the browser
 
        Use context-specific encoding for different parts of the application
 
 
    Authentication and Password Management:
 
        Implement strong password policies
 
        Use multi-factor authentication where possible
 
        Secure password reset mechanisms
 
 
    Session Management:
 
        Generate strong session identifiers
 
        Implement proper session timeout and invalidation
 
        Protect against session fixation attacks
 
 
    Access Control:
 
        Implement principle of least privilege
 
        Use role-based access control
 
        Enforce access controls on the server side
 
 
    Cryptographic Practices:
 
        Use strong, up-to-date encryption algorithms
 
        Properly manage encryption keys
 
        Use HTTPS for all sensitive communications
 
 
    Error Handling and Logging:
 
        Implement proper error handling without revealing sensitive information
 
        Log security-relevant events and protect log files
 
 
    Data Protection:
 
        Encrypt sensitive data at rest and in transit
 
        Implement proper data retention and disposal policies
 
 
    Communication Security:
 
        Use TLS for all communications
 
        Validate SSL/TLS certificates
 
 
    System Configuration:
 
        Harden server and application configurations
 
        Keep software and libraries up to date
 
 
    Database Security:
 
        Use parameterized queries to prevent SQL injection
 
        Limit database access and privileges
 
 
    File Management:
 
        Validate file uploads and restrict file types
 
        Store uploaded files outside the web root
 
 
    Memory Management:
 
        Properly allocate and deallocate memory
 
        Guard against buffer overflow vulnerabilities
 
 
    General Coding Practices:
 
        Follow secure coding guidelines
 
        Conduct regular code reviews and security testing
 
 
    API Security:
 
        Implement proper authentication and authorization for APIs
 
        Rate limit API requests to prevent abuse
 
 
    Security Headers:
 
        Implement security headers like Content Security Policy (CSP)
 
        Use HTTP Strict Transport Security (HSTS)
 
 
    Cross-Site Scripting (XSS) Prevention:
 
        Implement proper input validation and output encoding
 
        Use Content Security Policy to mitigate XSS risks
 
 
    Cross-Site Request Forgery (CSRF) Prevention:
 
        Implement anti-CSRF tokens
 
        Use SameSite cookie attribute
 
</pre>
 

Latest revision as of 19:10, 18 July 2024

Back to Web_Application_Hosting

Security Practices

All web applications developed and running on the PUBAPPS web hosting infrastructure must adhere to good web application security practices. The most prominent source of such practices/guidelines is OWASP web security testing guidelines. It's a long testing guide, which is also summarized in the OWASP Checklist. The most important points are listed in the top ten vulnerabilities. It is the responsibility of a project using PUBAPPS to follow the OWASP guidelines. All web applications are subject to security scanning by UFIT Security and a takedown (immediate to delayed depending on the severity of the issue) with appropriate notification of the project group's sponsor.

Application Maintenance

All web applications developed and running in pubapps require maintenance because security requirements are not static and the necessary security updates may necessitate either of

  • updating application code if a vulnerability is discovered in an application hosted in PUBAPPS.
  • updating the framework an application is using if a vulnerability is discovered in the framework version used by a PUBAPPS application.
  • Updating application code if the application is no longer functional because its dependencies or system package(s) were upgraded due to a security vulnerability.

It is the responsibility of a project hosting application(s) no PUBAPPS to update their application code and or dependencies in response to security vulnerabilities. All applications that are not updated within the timeframe stated in the notification are subject to a takedown. UFIT Research Computing is not responsible for applications that become non-functional because they weren't updated in response to security updates in their dependencies or system packages. Containerized applications are responsible for updating application dependencies and system packages inside the containers orchestrated for the application.

When major operating system (Red Hat Enterprise Linux) release upgrades are planned on HiPerGator groups with PUBAPPS projects will be notified and provided a development environment to test and implement updates to the application code and dependencies to enable the applications to run on the new operating system releases.

Please contact UFIT RC Support] if you have any questions or concerns in regards to application(s) hosted in PUBAPPS.