Although the OWASP lists are comprehensive, ensuring that your code never falls foul of any weakness on the lists is a difficult and time-consuming task. One option is to use automated tools such as Web application scanners to assist the process. Web application scanners can be use during development, QA or even in production. This saves time and money, and allows you to scan continually rather than just every day or once a week.

It's also essential to revise your security policy according to what the scan discovers. Exchanging vulnerabilities and positive attributes between the scanner and an application firewall can make sure that your Web application is secure.

However you manage your security, there's a handful of key points that you can employ to ensure that your Web application isn't leaking money:


1. Use a Web application scanner to discover vulnerabilities and develop a security policy for each application based on its unique positive attributes.

2. When planning the security of a server, use a positive security model rather than a negative one. By default, turn off all access and then enable facilities on an as-needed basis. Although starting with everything turned on, and then looking for paths that can be closed off, is always more convenient, it's also a huge security risk.

3. Install a Web application firewall to ensure that all the security policies are enforced, just like you use a Network firewall to secure your network.

4. Be prepared to act on what you discover during your scans, by revising your business methods or your security policy.

5. Consider using an automated tool to check your server code against the OWASP Top Ten Web Application Vulnerabilities list.

6. Install all server OS security patches.



Yuval Ben-Itzhak is Co-Founder & CTO of KaVaDo Inc. - www.kavado.com