UC Davis Information & Educational Technology

UC Davis Cyber-Safety Program: Web Application Security

If you are a computer user within an academic or administrative department on campus, you may have a Technology Support Coordinator (TSC) who is working to secure your system. Before taking any of the security steps listed below, please check with your TSC.

From the UC Davis Cyber-Safety Program Policy:

"Web applications developed or acquired by campus units must support secure coding practices. Web applications must mitigate the vulnerabilities described within the OWASP Top Ten Critical Web Application Security Vulnerabilities."

Back to Cyber-Safety Main

Information...

Attacks on Web-based applications are increasing. Successful attacks may result in unauthorized access to applications and/or data or a denial of service condition. Such unauthorized accesses can often represent significant financial costs for recovery and notification and can also result in the loss of confidence in the institution along with regulatory penalties and institutional embarrassment. Online applications developed by UC Davis need to meet or exceed industry-accepted security standards for Web applications.

For more about Web application security, including SQL-injection vulnerabilities and attack information, see Sysadmin Resources.

Campus sysadmins recommend...

OWASP Top Ten Most Critical Web Application Security Vulnerabilities
  • Un-validated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting (XSS) Flaws
  • Buffer Overflows
  • Injection Flaws
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration Management

Tools and Resources...

  • Watchfire AppScan - Commercial application that scans Web applications for security vulnerabilities and simulates attacks using common attack vectors. Results map to the OWASP Top 10 and SANS Top 20 vulnerabilities.
  • CERT, Secure Coding - Coding practices for avoiding Web application security vulnerabilities.
  • WebScarab - Open source framework for analyzing applications that communicate using the HTTP and HTTPS protocols.