Understanding web application security

Some links I picked up as part of background research for a lecture in internet application security.

For some background, clicking on the picture below will take you to a good overview of the design patterns involved in developing secure web applications, courtesy of MSDN’s Security Developer Center

Now, the tools – with a bias to those that work on MSIE for a change (if you don’t already have Web Developer installed on your Firefox, well…):

• MSIE HTTP monitoring/developer tools – LeecherMods
  Slightly hacky site, but good list
  (tags: microsoft security teaching tools)
• Domino 2.0 » Most useful web developer tools
  When you are developing Rich Internet Applications or top quality websites, here’s a list of most useful tools. Both Internet Explorer and Mozilla Firefox have web developer toolbars and Javascript Debuggers. You can monitor the HTTP streams between browser and server in Internet Explorer, monitor JavaScript memory leaks in Firefox. With Lynx, you can also discover how search engines see your site.
  (tags: internet development teaching security)
• Internet Explorer Developer Toolbar
  For those who can’t tear themselves away from MSIE. The Internet Explorer Developer Toolbar provides several features for exploring and understanding Web page
  (tags: windows microsoft development tool teaching)
• Fiddler Web Debugger – Freeware HTTP(S) debugging tool
  Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.
  (tags: tool internet microsoft security teaching programming)

And now, two SANS courses:

• The 5 Most Common Mistakes Made When Developing a Web Application
  Why particular problems remain so common, even though most web developers are aware of them and consider them in writing new applications. This paper does not discuss a particular language.
  (tags: internet security teaching development)
• Web Application Auditing Over Lunch
  We did not say much about how to defend against each of these tests. However, the overall approach should not be to fix vulnerabilities one at a time as they are found, but to develop strategies and procedures that will prevent these vulnerabilities in the first place. It is imperative for a Web application to create a library of authentication, access control, session handling, and validation functions that are used consistently throughout the application.
  (tags: internet development security teaching audit)