Secure Web Applications

Secure Code

  • Use-supplied data
    • Input Validation
    • Sanitization
    • Hidden fields
  • UI security controls
    • Easily bypassed
    • Maliciout URLS can be constructed

Secure Coding Considerations

  • Generate unique session identifiers
  • Keep sessions identifiers hidded
  • Forbid concurrent user acount logins with same account
  • Configure the "secure" cookie attribute
  • Principle of least privilege for specific app pages
  • Audit app access
  • Use existing trusted code where possible
  • After code testing, remove code comments that could be accessible to users
  • Apply updates
  • Newly modified code
  • Web app components in use

Web Application Security Flaws

  • Underlying architechture
  • Hardware, network, PKI and authentication
  • Poor coding practices Lack of propper input validation
  • No encryption of
  • Data in transit
  • Date at rest


  • Network accessibility
  • Lack of encryption
  • Lack of digital signature
  • Web app backends on user network

Operation System

  • Missing patches
  • Defatult settings
  • Unnecessary sevices
  • Unused user accounts

Web server stack

  • Missing software updates
  • Expire PKI certificates
  • Unnecessary running modules
  • Default settings
  • Using SSL insted of TLS

Third-party components

  • Lack of components knowledge
  • Missing software updates
  • Default settings
  • Authentication with other components

OWASP (Open Web App Security Project) Top 10

Authentication Factors

  • Knowledge
  • Possession
  • Inherence


  • Resource
  • Granularity
  • Type


  • Communication security
  • Storage security
  • Forward security
  • Authenticated and authorized

Securing Network Traffic

  • Don´t use SSL, it is Deprecated (Uses a PKI certificate, disable in client app and backend)
  • Use TLS (v1.0 is deprecated) >=v1.1


  • Used to secure any type of network traffic
  • Does not imply using a VPN
  • Need control of all devices/services
  • Encapsulating Security Payload (ESP)
  • Authentication Header (AH)