Secure Programming Lecture 10: Web Application Security (intro, authentication)

Here are some useful OWASP resources. First, highly recommended reading:

The OWASP Top 10
- here is a local copy of the 2017 report

The pages connect to many useful resources. OWASP has recorded some vulnerabilities which may have not otherwise been given CVE numbers. If there is a single server or owning site, web app vulnerabilities may be short-lived, repaired quickly and not announced by site owners:

The OWASP/WASC Web Hacking Incident Database as a Google spreadsheet which is interest to peruse/search (1557 incidents up to 2015).

Authentication

These OWASP resources include advice for the Broken Authentication risk category considered in this lecture:

The lecture slides also pointed to two recent pieces of government advice:

the 2016 UK NCSC Password guidance: simplifying your approach
the 2017 US NIST 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management

References and credits

Some examples were adapted from:

[Innocent Code: a security wake-up call for web programmers][InnocentCode] by Sverre H. Huseby, Wiley, 2004.

as well as the OWASP resources and named RFCs.

Home : Teaching : Courses : Sp : 2019

Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: school-office@inf.ed.ac.uk
Please contact our webadmin with any comments or corrections. Logging and Cookies
Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh