Over the past few weeks, I've read several posts from folks around the industry on how to secure web applications and I've read many interesting viewpoints. In my opinion, there are seven basic ideas that I believe any security professional should carry with them for web applications.
The first concept for every security professional is to test everything. There is no amount of testing that can be accomplished -- test and simply keep testing. Just because you ran one scan with some tool and reviewed the results....testing should not end. What was once a very secure application could absolutely be compromised tomorrow.
Secure the foundation
Web Applications are nothing more than applications running on an Operating System so as such, it is still absolutely critical to secure the environment that they live in.
Encrypt your data
Use of data encryption may be utilized in a number of areas within your architecture. Whether you are using SSL certificates to data encryption on the database to the file system. I'm not sure I have the ability to recommend the "type" of encryption, but use of encryption is highly recommended.
With Application Security vulnerabilities, the majority of the vulnerabilites lie with poor input validation. Using input validation with all areas of the application is absolutely critical. If you have the ability to discover tools that will perform Input Analysis on your application prior to going live, I would highly recommend employing them. For those not familiar with Input Analysis techniques, these are solutions that will search for any component of your application where input is taken in (controls, form fields, etc) and assists with the validation of those points.
Authentication is key to applications and the use of strongly authenticated users or sessions is necessary. If strong authentication is not always an option, at the very least, please encourage your users (or security policy) to use strong passwords.
Control Access to the Application
As discussed in our AJAX post, validation of data is a very difficult aspect of security around your web application. The idea that we are able to validate every single request to your web application is sometimes difficult, however, it's my recommendation to your best with this.
Session Management is yet another very serious aspect of securing your web application. Points of weakness for many web applications is found when developers make some great attempt to start creating their own session management schemes. Three words that I have for you: 1) Cryptographically Strong, (2) Random, (3) strong protection.
Again, these are only a few thoughts that I'm throwing around here ....there are a thousand other things that could be considered so please don't consider this the almighty list [no flames, please].