A Security Checklist for Web Application Design

Web applications are very enticing to corporations. They provide quick access to corporate resources; user-friendly interfaces, and deployment to remote users is effortless. For the very same reasons web applications can be a serious security risk to the corporation. Unauthorized users can find the same benefits: 'quick access' 'userfriendly' and 'effortless' access to corporate data. This paper is written for Information Technology professionals who are not programmers and may not be aware of the specific problems presented when using an externally facing web application to attach to a mission critical database. The content provides a description of the security challenges introduced by externally facing web applications. It provides the knowledge necessary to articulate to developers the security requirements for a specific web application to make contractual the obligation of the developer to build an application that is secure and to assure that appropriate testing is completed prior to moving to a production environment. The document is structured as a checklist of challenges. For each challenge there are specific checkpoints that delineate the security concern; the list provides a basis for securing web applications and the databases they connect to from malicious and unintentional abuse.