This page uses content from Wikipedia and is licensed under CC BY-SA.
|This article is part of a series on|
|Related security categories|
Web application security is a branch of information security that deals specifically with security of websites, web applications and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.
The majority of web application attacks occur through cross-site scripting (XSS) and SQL injection attacks which typically are made possible by flawed coding and failure to sanitize application inputs and outputs. These attacks are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.
According to the security vendor Cenzic, the top vulnerabilities in March 2012 include:
|4%||Arbitrary code execution|
|4%||Cross-site request forgery|
|3%||Data breach (information disclosure)|
|3%||Arbitrary file inclusion|
|2%||Local file inclusion|
|1%||Remote file inclusion|
Secure web application development should be enhanced by applying security checkpoints and techniques at early stages of development as well as throughout the software development lifecycle. Special emphasis should be applied to the coding phase of development. Security mechanisms that should be used include, threat modeling, risk analysis, static analysis, digital signature, among others.
OWASP is the emerging standards body for web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database (WHID) and also produced open source best practice documents on web application security. The WHID became an OWASP project in February 2014.
While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include: