One way we ensure secure operation is by leveraging a tool called the IBM Rational AppScan. AppScan probes an application for vulnerabilities by mounting attacks against it--attacks such as those listed on the Web Application Security Consortium site. A scan is performed prior to the latest release and can be performed at unscheduled times at the request of the product team. Using AppScan, some of the previous threats detected and subsequently fixed include SQL Injection, Session Fixation, and Cross Site Scripting. More recently, some of our development teams have focused on implementing a fix for Cross Site Request Forgery or CSRF.
There are a number of measures that can be taken to prevent CSRF. Some of these, such as setting a reasonable timeout for login sessions, mitigate the threat but do not eliminate it. Others, such as checking the "Referer" header value in the HTTP request, cannot be relied upon in certain situations. There seems to be a consensus that the best solution relies on non-cookie based request tokens. For examples, check out https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet and http://www.cgisecurity.com/csrf-faq.html#referer.
For those of you using Struts 2 as your server-side web application framework (as we often do), Struts 2 provides a way to:
1. Easily generate unique tokens by using the "token" tag.
2. Provide a way to easily verify that a token is valid, through the use of the Token Session Interceptor.
A good article that explains how to use the above techniques to prevent CSRF can be found here: http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html.
What techniques or applications have you used to help ensure maximum security in your development projects? What is the greatest challenge you have faced in doing so? We would love to hear your thoughts, so feel free to use the comment section below.
-Andrew Sy, 5AM Solutions