JavaOne 2010 - Ten Security Vulnerabilities for Software as a Service

This session was a good refresher on web application security in general. It was not really a session devoted to SaaS as the title suggested. It serves as a good check list to look through before deploying any application.

A few notes on the 10 issues mentioned:

1. Data Injection
- Sanitise hidden form fields and cookies

2. Cross Site scripting
i.e. JavaScript injection through url params

3. SQL Injection
- sanetise all post data

4. Cross Site request forgery
- add anti CSRF token in hidden form field

5. XML Validation and Schema
- use DTD schema to validate against all xml posted
i.e. SAXParser.validate

6. Path Manipulation
- sanitise file I/O path inputs

7. Password Management
- don’t hard code passwords .. duh

8. Session & State
- session id fixation
- change sessionId after login
- invalidate session after logout

9. Improper error handling
- don’t output stack traces and sensitive information in error messages

10. Not sure what this one was because I had to leave for another session. :) I’m sure it was a good one though.