Here are some of my notes about what can we deploy to help to protect web application using the modern technologies.
Instead of depending on developers to FIX all the webapp vulnerabilities, such as XSS/CSRF, below are a few things we should strategies at the policy/framework level.
A New Strategy for WebApp
Traditionally, we assess a web application (webapp) security via scanning and penetration testing (pentest). This isn't an effective way when you have a complex webapp or many webapps (with undocumented CMDB).
A better way would be securing webapp (or many webapps) via policy.
At the policy level, it requires every webapp to implement a series web security policies such as Content Security Policy (CSP), and during the regular scanning, the scanner will detect is those policies are still in place, to determine if an webapp is violating the policy. The benefits here include:
- It covers all the webapps at the domain level, without going into the details of every single link within a webapp.
- It works at a consistent manner (less false positive or false negative) compare to manual penetration testing.
- It can ensure many of the security best practices being enforced at those high severity webapp without re-doing the pentest after a major upgrade.
Links: