web security

Do you manage or develop websites and need to know more about securing them?

If you do manage websites, then you should know about the Open Web Application Security Project (OWASP). This group is working to make web application security issues visible so organizations can make intelligent decisions about how to address the risks.

There is a great series of very short (5 minute) presentations from OWASP about web vulnerabilities. One of the most interesting is about cross site scripting (XSS) vulnerabilities. This is a huge issue and web application developers need to understand this threat and how to address it. Take a few minutes and watch the series. Maybe you will pick up something you never knew about web vulnerabilities and be able to better explain risks of certain applications to your organization.

These presentations are also focused on discussing the Consensus Audit Guidelines (CAG) and how they apply to application and service development.

Thanks for reading & let’s continue to be good network citizens!

Google has published a browser security handbook for developers

If you develop websites or manage webservices, then you should check out the Browser Security Handbook that Google publishes on their code.google.com website. The Browser Security Handbook currently has three sections:

Part 1: Basic concepts behind web browsers

• Uniform Resource Locators
  • Unicode in URLs
• True URL schemes
• Pseudo URL schemes
• Hypertext Transfer Protocol
• Hypertext Markup Language
  • HTML entity encoding
• Document Object Model
• Browser-side Javascript
  • Javascript character encoding
• Other document scripting languages
• Cascading stylesheets
  • CSS character encoding
• Other built-in document formats
• Plugin-supported content

Part 2: Standard browser security features

• Same-origin policy
  • Same-origin policy for DOM access
  • Same-origin policy for XMLHttpRequest
  • Same-origin policy for cookies
  • Same-origin policy for Flash
  • Same-origin policy for Java
  • Same-origin policy for Silverlight
  • Same-origin policy for Gears
  • Origin inheritance rules
  • Cross-site scripting and same-origin policies
• Life outside same-origin rules
  • Navigation and content inclusion across domains
  • Arbitrary page mashups (UI redressing)
  • Gaps in DOM access control
  • Privacy-related side channels
• Various network-related restrictions
  • Local network / remote network divide
  • Port access restrictions
  • URL scheme access rules
  • Redirection restrictions
  • International Domain Name checks
  • Simultaneous connection limits
• Third-party cookie rules
• Content handling mechanisms
  • Survey of content sniffing behaviors
  • Downloads and Content-Disposition
  • Character set handling and detection
  • Document caching
• Defenses against disruptive scripts
  • Popup and dialog filtering logic
  • Window appearance restrictions
  • Execution timeouts and memory limits
  • Page transition logic
• Protocol-level encryption facilities

Part 3: Experimental and legacy security mechanisms

• HTTP authentication
• Name look-ahead and content prefetching
• Password managers
• Microsoft Internet Explorer zone model
• Microsoft Internet Explorer frame restrictions
• Mozilla and Safari HTML5 storage experiments
• Microsoft Internet Explorer XSS filtering
• Script restriction frameworks
• Origin headers
• Mozilla content security policies

This is a good resource for developers and administrators to understand browser & web security considerations.

Thanks for reading and let’s continue to be good network citizens.