This guide provides guidelines to prevent security vulnerabilities on any website that is hosted and maintained on any BioSci server.
Web applications can be vulnerable to cyber attacks that can compromise sensitive data. Developers should code with security practices in mind.
Web applications may be subject to review and testing for security vulnerabilities by BioSci Computing, nevertheless, the responsibility still falls on the website owner.
It is imperative to read and understand the ‘OWASP Top 10 Web Application Security Risks’ and the ‘OWASP Top 10 Mobile Risks’ documents. These are the areas where a majority of security exploits have been identified that can occur and therefore, preventive measures must be implemented.
You must implement the OWASP recommended remediation action items which counteract exploits and vulnerabilities.
- Constrain, reject and sanitize, and validate all user data. Validation may include type, length, format and range. This should be done on the server side.
- Escape the output by stripping out unwanted data. For example, malformed HTML or script tags to help secure your data prior to rendering it for the end user.
- Avoid storing sensitive data in code, such as passwords, database connections, credit card numbers. Encrypt confidential information whenever possible.
- Never leak sensitive data in a debug output and error message. Consider creating a log with detailed error messages.
- A session ID should not be stored in a URL, persistent cookies, hidden HTML fields or HTTP headers. The session ID should not be predictable, keep it long and complicated.
- Implement a security control mechanism to authenticate the identity of the user. This authentication is commonly handled using a user and password, however, it may be done also with Webauth.
- Implement user access privilege to ensure that the user’s access data is limited to only his or her authorized access level.
UCI BioSci Requirements
- Create a clear documentation of configurations.
- Document program source codes and keep it up to date when changes occur.
- Review and audit the log activity frequently for exceptions.