WebAppSec/MozSecureWorld: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
Line 30: Line 30:
* SQL  
* SQL  
* (Possible) Third party service
* (Possible) Third party service
* (Possible) Third party hosted images. Initial processing and per visit processing?


=== Transport Security ===
=== Transport Security ===

Revision as of 20:45, 7 June 2011

Purpose

A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.

Uses

  • Demonstration of secure application design
  • Explanation of importance and purpose of security features
  • Learning tool for others to reference
  • Testing site to validate effectiveness of security & design recommendations
  • Evaluation tool for pen testing individuals or tools

Design

Architecture

Python on Django via Playdoh

Security Components & Controls

Authentication

  • Brute force prevention via adaptive CAPTCHA
  • Password storage via bcrypt and system nonce
  • Account creation with blacklisted password support
  • (Possible) Secure Password Reset

Access Control

  • Presentation, Business, Data Layer Access Control
  • (Possible) Two tier design for admin account separation

Input Validation

  • Rich text handling via bleach
  • File upload support via secure file handling guidelines
  • File Handling
  • SQL
  • (Possible) Third party service
  • (Possible) Third party hosted images. Initial processing and per visit processing?

Transport Security

  • Full & correct TLS
  • HTTP Strict Transport Security

Cross Domain Controls

  • X-frame-options

Cookie Protection

  • Secure Flag
  • HTTPOnly Flag

Roadmap

  1. Setup playdoh & github
  2. Running HelloWorld
  3. Design Planning
  4. Code basic item first (x-frame-options)
  5. Complete initial presentation layer and CSS for basic item
  6. Setup backend database
  7. Authentication
Retrieved from "https://wiki.mozilla.org/index.php?title=WebAppSec/MozSecureWorld&oldid=316459"