WebAppSec/MozSecureWorld: Difference between revisions
Jump to navigation
Jump to search
| Line 51: | Line 51: | ||
# Setup backend database | # Setup backend database | ||
# Authentication | # Authentication | ||
== Links References == | |||
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines | |||
Revision as of 20:53, 7 June 2011
Purpose
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
Uses
- Demonstration of secure application design
- Explanation of importance and purpose of security features
- Learning tool for others to reference
- Testing site to validate effectiveness of security & design recommendations
- Evaluation tool for pen testing individuals or tools
Design
Architecture
Python on Django via Playdoh
Security Components & Controls
Authentication
- Brute force prevention via adaptive CAPTCHA
- Password storage via bcrypt and system nonce
- Account creation with blacklisted password support
- (Possible) Secure Password Reset
Access Control
- Presentation, Business, Data Layer Access Control
- (Possible) Two tier design for admin account separation
Input Validation
- Rich text handling via bleach
- File upload support via secure file handling guidelines
- File Handling
- SQL
- (Possible) Third party service
- (Possible) Third party hosted images. Initial processing and per visit processing?
Transport Security
- Full & correct TLS
- HTTP Strict Transport Security
Cross Domain Controls
- X-frame-options
Cookie Protection
- Secure Flag
- HTTPOnly Flag
Roadmap
- Setup playdoh & github
- Running HelloWorld
- Design Planning
- Code basic item first (x-frame-options)
- Complete initial presentation layer and CSS for basic item
- Setup backend database
- Authentication